I am working with FreeRADIUS for quite some time now and it is working perfectly fine. I mostly use it for WiFi authentication and wired 1x auth, both with only one factor.
I now have a new usage scenario which is authenticating VPN users. This should be done using a two factor authentication. The first factor should be the Active Directory password and the 2nd factor should be either SMS, email or a Yubikey. For this 2nd factor, I already have a running RADIUS server which could be connected to by FreeRADIUS.
I tried to implement the setup described at the following website: https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy.
The first step is working fine, the user is asked for their password and the password is verified against the Active Directory. Then, FreeRADIUS sends a new challenge asking for the OTP. A this time, the 2nd RADIUS server is not yet contacted and the SMS or the mail containing the 2nd factor is not sent. When the user enters something at the prompt, control is given over to the proxy RADIUS server which asks for the 2nd factor again and which then triggers sms or email sending.
I have read the configuration of FreeRADIUS but I don't understand how to pass control to the proxy RADIUS server and let that server send the new challenge instead of the FreeRADIUS server. I guess the solution is very simple and I just don't see the forest for the trees...
So it would be great if someone could help me here...
Related
Trying to have Jenkins send an email to a Gmail account upon every build. I get:
Failed to send out e-mail
com.sun.mail.smtp.SMTPSendFailedException: 530-5.5.1 Authentication Required. Learn more at
530 5.5.1 https://support.google.com/mail/?p=WantAuthError 9sm5733284oij.25 - gsm
Here's what I tried so far:
Made the gmail account accept emails from less secure apps
Generated an application password from gmail and used it in my Jenkins configuration - got the same error with and without the app password
Looked at at least a dozen answers (yeah) and all the screens showing the Jenkins gmail config look the same as mine
telnet smpt.gmail.com 465 responds as connected
My Jenkins install is localhost using this URL: http://192.168.0.1:8080/
My system admin email address exists and is entered in Jenkins
I've tried filling in the section on Extended E-mail notification and removing the entries - no difference
Turned off Windows Defender, thinking, just maybe???
Also tried to configure Outlook/Hotmail using those smpt parms but that gave different errors
Don't know if this matters but I have that 'It appears that your reverse proxy set up is broken' and I don't recall setting up a reverse proxy!
Any help would be greatly appreciated!
Set up Jenkins email notification as shown below:
To resolve this, create & use app passwords with 2-step verification turned on.
A less secure method is to allow less secure apps without 2-step verification.
I'm trying to bring up an OpenVPN service that authenticates users via Radius. The Radius server is made by me so I can play with the code and understand the internals better.
Upon a successful login I receive accounting data from the OpenVPN server. By saving these sessions I can then count the number of open sessions each user has because I want to deny them the opportunity to login multiple times. I could impose it at the OpenVPN server config but I might add some other servers in the future and I want to do it from the Radius side - if possible.
My problem is on the Radius side, once I detect multiple logins, what do I do?
I could try to access the management console of OpenVPN from my radius code but...there's got to be a better way.
I also tried sending Session-Timeout in the Access-Accept reply message to something lower in order to force them to authenticate more often and do my checks there but that setting seems to have no effect on the radius plugin used by OpenVPN:
NAS-Identifier=openvpn_udp
Service-Type=5
Framed-Protocol=1
NAS-Port-Type=5
NAS-IP-Address=10.50.0.14
OpenVPNConfig=/etc/openvpn/server.conf
overwriteccfiles=true
nonfatalaccounting=false
server
{
acctport=1813
authport=1812
name=10.50.0.13
retry=1
wait=1
sharedsecret=testing123
}
Any ideas on how to do this better?
I'm just getting started with D2L and am running into problems.
On the "Getting Started" page, I have completed the first three steps:
1) Acquire an App Key/ID pair from D2L - I have received the App ID and App Key
2) Create a test account in your host LMS - I have created a new user account with the administrator role for testing
3) Choose a client library to work with - I am using the PHP SDK
4) Authenticate with your LMS - This is where I'm running into trouble.
When I use the Getting Started sample:
http://samples.valence.desire2learn.com/samples/GettingStartedSample/
And enter my host, app ID and app key and hit on the "Authenticate" button, I get a "This application is not authorized on this LMS instance. Ask your administrator to authorize this application" error.
I am an administrator on my D2L host and I'm not sure how to authorize my own app.
I have tried the following:
Navigating to the "Manage Extensibility" page because that's where D2L says my app should be located, but it isn't there.
Enabling the API (d2l.Security.Api.EnableApi) under the "DOME" page to no avail.
What am I doing wrong?
Based on your question and comments, there were two issues here:
First is that the list of App ID/Key pairs appropriate for your LMS get regularly fetched by your LMS from the D2L KeyTool service. The schedule for this fetching is once a day; accordingly, if the scheduled task isn't set up, or if your LMS isn't identifying itself properly to the KeyTool service, or if time hasn't yet elapsed after key granting to the next scheduled run of the task, the App won't yet be in your LMS' Manage Extensibility list. It sounds like you no longer have that issue.
Second is that the Valence Learning Framework APIs' authentication process (requesting and retrieving a set of user tokens for an LMS user) requires several LMS features to be properly set up: (a) the LMS must be configured to support Deep Linking, (b) the LMS must be set up to handle the ?target= parameter on incoming client URL requests, and curate that parameter throughout the user authentication process.
In cases where your LMS is not doing the user authentication but depending upon another, third-party IDP (like Shibboleth), any ?target= parameter passed into the login process must be taken care of by the IDP and properly handed back to the LMS after user authentication. In a situation where you have multiple redirections occurring during user authentication, this can involve successive generation of a target parameter, and each generation must re-URL-encode the previous request URL in its entirety (like sticking an envelope inside another envelope, inside yet another envelope).
If your LMS is not properly configured to support these two points, which you might not notice during other operations, then client calls to the Learning Framework APIs won't work because the calling client won't be able to fetch back a set of user tokens.
To solve the second of these issues, you may have to contact D2L's Customer Support desk -- they can verify, and adjust as necessary, the LMS configuration part of this authentication chain. If you're integrating your LMS with other third-party IDP components not administered or deployed by D2L, then you might also need to adjust their configurations: D2L can likely advise on what needs to be done there (curate the target parameter on URls), but cannot adjust the configuration for you in those cases.
We are building an online store that is based on Spree and hosted on Heroku. We want to make the checkout as easy as possible so we decided to use PayPal Express Checkout, and Instant Update API to determine the shipping cost.
When we tested the checkout process over HTTP, everything works perfectly - when the user enters his shipping address, PayPal queries our server in the background and obtains the shipping costs.
However when we switched to SSL, the shipping cost just doesn't update and reverts to the default flat-rate. I cannot figure out what is wrong because everything is the same, except this time the app is accessed through HTTPS, i.e. https://myapp.herokuapp.com
I have check the logs and I see that PayPal's server did make the query, but the shipping cost just don't update on PayPal's checkout page.
Any thoughts on what's wrong?
Update:
After further testing, it seems PayPal is not obeying the timeout set in the transaction setup. We added a simple "sleep(x)" to the callback method to artificially induce some delay (by x seconds), and even over normal HTTP, just 1 second delay is enough to caused PayPal to ignore the response.
The max timeout is supposed to be 6 seconds, but in reality it doesn't seem to be the case at all. And couple that with HTTPS (which take longer to establish a connection), it is probably why the callback was failing in the first place.
I have submitted a ticket to PayPal, but I'm not sure if they will respond or do anything about it...
It appears there are many reasons that PayPal could ignore the returned shipping options from the callback.
I'd like to see something on PayPal's site that would keep a history of recent calls to the callback with the returned response and reasons for rejection - somewhat similar to the useful IPN history.
I'm glad you posted your real domain name here because you've pretty much confirmed my suspicions.
I'm pretty convinced the problem is that you have a wildcard SSL (I see your certificate is issued to *.herokuapp.com) and not just an SSL for a single domain.
I am having the same problem with a UCC certificate for www.MicroPedi.com which is a 5 name UCC certificate. PayPal just flat out refuses to even make any calls to it (I have logging and nothing is coming through except when using the sandbox).
To confirm this I have a previous Express checkout implementation that is working just fine (with a single SSL) and I pointed my new application to that old URL and it magically started working again. That is a single name SSL - in fact it's one of those expensive green bar certificates.
I've written directly to PayPal support, but right now the only thing I can think of doing as a workaround is writing some kind of proxy page that will just redirect from the good domain to my UCC domain.
I need to establish a HTTPS 2-way SSL connection from my iPhone application to the customer's server.
However I don't see any secure way to deliver the client side certificates to the application (it's an e-banking app, so security is really an issue).
From what I have found so far the only way that the app would be able to access the certificate is to provide it pre-bundeled with the application itself, or expose an URL from which it could be fetched (IPhone app with SSL client certs).
The thing is that neither of this two ways prevent some third party to get the certificate, which if accepted as a risk eliminates the need for 2-way SSL (since anyone can have the client certificate).
The whole security protocol should look like this:
- HTTPS 2-way SSL to authenticate the application
- OTP (token) based user registration (client side key pair generated at this step)
- SOAP / WSS XML-Signature (requests signed by the keys generated earlier)
Any idea on how to establish the first layer of security (HTTPS) ?
Ok, so to answer my own question...
It turned out that the security has no fixed scale of measurement.
The security requirements are satisfied as long as the price for braking the system is significantly above the prize that one would get for doing so.
In my situation we are talking about e-banking system, but with somewhat low monthly limits (couple of thousands USD).
As I mentioned in my question there would be another layer of security above the HTTPS which will feature WSS XML-Signatures. The process of registering the user and accepting the his public key is also done in several steps. In the first step the user sends his telephone number together with a cod retrieved somehow from my client. Then an SMS is sent to the user with a confirmation code. The user enters the confirmation code into a OTP calculator that would produce OTP code which will identify the user. Then the public key is sent to the server together with the OTP code. From here on every request would be signed by the private counterpart of the public key sent to the server earlier.
So the biggest weakness for the whole process is that of someone reverse engineers the application and retrieves the client certificate used for the SLL. The only problem arising from this is that someone might observe users' transactions. However in order for someone to make a transaction he would need the user's private key, which is generated, encrypted and stored into the keychain. And the price for braking this security level is VERY HIGH.
We will additionally think on how to protect the users' data on a higher level (e.g. using WSS Encryption), but for the start I thing we are good with the current solution.
any opinion ?
regards
https doesn't really work this way. In a nutshell, you attach to a secure server where the certificates are signed by a well known authority.
If you use Apples (iPhone) classes for this, they will only accept 'good' certificates. By good, I mean what Apple deems as acceptable. If you don't use them (there are alternatives in the SDK), you won't be able to connect (except, maybe, in the case where you have an 'Enterprise' developers license - but I can't say that with 100% certainty as I haven't looked enough at this license to be sure)
To continue, use your https connection to your correctly signed website and then institute some sort of login with a built in username/password, or challenge/response based upon the unique ID of the iPhone (for example) and exchange keys using that connection.
Note that this means that your application will have to query for new certificates at (each connection/every X connections/every month/application specified intervals) to keep them up to date. You can then use these certificates to connect to the more secure server.
[edit]
Check this post - may have more information about what you're asking to do
[/edit]
[edit2]
Please note that the request is iphone, not OSX - app store approval is an issue
[/edit2]