Some DATA firts:
Freeradius v3.0.17
Active Directory as LDAP
OTP app developed by ourself
What We want to achieve is 2FA via Freeradius. We are using authentication with ntlm_auth against an MS AD and on the other hand We have our own OTP script (This is working in another solution).
At first we have a policy that splits the USER and Token, like this --> username:OTP. This is working.
This procces is called at the top of authorize section on Default site
on policy.d/pol_usernamemultiotp.authorize:
pol_usernamemultiotp.authorize {
if ( &User-Name =~ /^(.*):([0-9]{6})$/) {
update request {
Stripped-User-Name := "%{1}"
User-OTP := "%{2}"
}
}
}
The ntlm_auth is working properly.
When we add the next code in authorize section on Default, the authentication jumps to Auth-Type := LDAP and wont do throught ntlm_auth.
update control {
Auth-Type := `/bin/bash /etc/freeradius/3.0/otpIB.sh '%{Stripped-User-Name}' '%{User-OTP}' '%{Client-IP-Address}'`
}
(this script returns "Accept" or "Reject" depending if the OTP is correct.)
We also try to put this update control on Post-Auth section on Default. BUT, here is the problem. Let us show you with de Freeradius -X logs
(0) mschap: Program returned code (0) and output 'NT_KEY: C1964544A5B93877F0D3FE7D9E5791D0'
(0) mschap: Adding MS-CHAPv2 MPPE keys
(0) [mschap] = ok
(0) } # authenticate = ok
(0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(0) post-auth {
(0) update control {
(0) Executing: /bin/bash /etc/freeradius/3.0/otpIB.sh '%{Stripped-User-Name}' '%{User-OTP}' '%{Client-IP-Address}':
(0) EXPAND %{Stripped-User-Name}
(0) --> fdelfranco
(0) EXPAND %{User-OTP}
(0) --> 770355
(0) EXPAND %{Client-IP-Address}
(0) --> 10.40.9.3
(0) Program returned code (0) and output 'Reject'
(0) Auth-Type := Reject
(0) } # update control = noop
(0) update {
(0) No attributes updated
(0) } # update = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = noop
(0) Sent Access-Accept Id 195 from 10.40.9.99:1812 to 10.40.9.3:21481 length 0
(0) MS-CHAP2-Success 0xf9533d36433832463034413330323043344533314246333736383533364234324641453142383843383145
(0) MS-MPPE-Recv-Key = 0x66e467b713b84475fa5ed19d93207ef3
(0) MS-MPPE-Send-Key = 0x75f6cbee712186fe6ebeca98ea9ab063
(0) MS-MPPE-Encryption-Policy = Encryption-Allowed
(0) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(0) Finished request
NTLM_AUTH works perfectly and gives and Access-Accept, ignoring completely the script and the Auth-Type := Reject that returns!
Why is the Radius ignoring the state of "reject" from the script and authorizinging the user ??
Some suggestions?
Edit:
Today We managed to get this thing working without a challenge, but working. We create like some kind of new Auth Type, and we put the policy there so, When we make the Authorize parte, it calls this pseudo Auth Type in the Authenticate section of the Defaul file and then, after thar it make a call for our own policy, where We have pointed our own shell script that makes the one-time-password validation properly.
It works great with Cisco VPN client, Forti Client and with Mac OS native client for IPSEC.
Auth-Type must to be set on reply, not control.
Related
We want to setup StrongSwan VPN with FreeRadius for authentication. In addition to that we want to assign different subnets to users based on AD-Groups. StrongSwan uses the class attribute in a access-accept reply for that (https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius).
To my knowledge it is possible to use custom attributes in FreeRadius to store data used during the reply/proxy/control… process and send that back to StrongSwan.
Unfortunately this is not working in our FreeRadius environment and the custom attribute stays empty. It is however possible to access attributes already existing in the reply list.
This configuration for example sends back an empty Variable Reply-Message.
/etc/raddb/dictionary:
ATTRIBUTE test 3000 string
/etc/raddb/users
DEFAULT test = “TESTTEST”
/etc/raddb/sites-enabled/default
…
post-auth {
…
update reply {
Reply-Message := "%{control:test}"
}
…
}
Log-Output:
(11) [exec] = noop
(11) policy remove_reply_message_if_eap {
(11) if (&reply:EAP-Message && &reply:Reply-Message) {
(11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(11) else {
(11) [noop] = noop
(11) } # else = noop
(11) } # policy remove_reply_message_if_eap = noop
(11) update reply {
(11) EXPAND %{control:test}
(11) -->
(11) Reply-Message :=
(11) } # update reply = noop
(11) } # post-auth = noop
(11) Sent Access-Accept Id 5 from 127.0.0.1:1812 to 127.0.0.1:50913 length 0
(11) MS-MPPE-Recv-Key = 0xd23e4723df9ff904741b91827518aaa48dcbca27204024965d37fdb6bece0270
(11) MS-MPPE-Send-Key = 0x4e7de0fc944a5114ab435df43fa943901870741a86571e3ccddef11b82e406e1
(11) EAP-Message = 0x03050004
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) User-Name = "raduser"
(11) Reply-Message := ""
(11) Finished request
FreeRADIUS Version 3.0.19
According to this guides, the configuration above should work:
returning custom user attributes in the radius reply
https://serverfault.com/questions/939980/freeradius-return-user-groups-in-class-field
Is there anything we’re missing? Thanks in advance.
Your reply message should be formatted as
Reply-Message := "Hello, %{User-Name}"
In your configuration file, you defined DEFAULT test = “TESTTEST” but in reply message you have mentioned "%{control:test}".
please try with it.
I am using (and enjoying) Freeradius v3 and I have been beating my head against something I am sure the community has already figured out.
I have a custom user attribute defined in the dictionary and included in my authorize file:
me Mygroup :="usergroup", Cleartext-Password := "password1234"
...and I am able to update the reply from the radius server by adding the following to the default site (/etc/freeradius/3.0/sites-available/default)
update reply {
Reply-Message := "additional info"
}
Running a simple radtest from the command line:
radtest me password1234 192.168.x.x 0 $secret
...gives me the following:
Sent Access-Request Id 204 from 0.0.0.0:38090 to 192.168.2.161:1812 length 77
User-Name = "me"
User-Password = "password1234"
NAS-IP-Address = 192.168.x.x
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "password1234"
Received Access-Accept Id 204 from 192.168.x.x:1812 to 0.0.0.0:0 length 53
Reply-Message = "additional info"
What variable, command line switch or other should I include to get the "Mygroup" information in the "additional info" section?
I am not trying to boil an ocean, I know there are some pretty involved group/huntgroup/permission configurations for freeradius but all I need is that data in the Reply-Message.
Thanks!
If you take a look at this question about how the users file works, you'll see that attributes with that operator, on the first line of a users file entry, get inserted into the control list.
If you want to access that attribute somewhere else, you need to add list qualifier i.e. control:Mygroup.
As you're wanting to insert the value into a string, you need to use the string interpolation syntax (referred to as xlat or string expansions in the FreeRADIUS docs). For simple attribute expansions, you just wrap the attribute name and its qualifiers in %{ and }.
So your final unlang update block would look something like:
update reply {
Reply-Message := "%{control:Mygroup}"
}
Im building a freeradius server for authenticate.
I have a problem with policy.conf:
The policy.conf was loaded in radius.conf as $INCLUDE policy.conf but the content of this file didn't work.
I tested by login with 'test' user but it didn't reject. Can someone help me about this, thanks very much.
policy {
#
# Forbid all EAP types.
#
if (User-Name == 'test'){
reject
}
forbid_eap {
if (EAP-Message) {
reject
}
}
#
# Forbid all non-EAP types outside of an EAP tunnel.
#
permit_only_eap {
if (!EAP-Message) {
# We MAY be inside of a TTLS tunnel.
# PEAP and EAP-FAST require EAP inside of
# the tunnel, so this check is OK.
# If so, then there MUST be an outer EAP message.
if (!"%{outer.request:EAP-Message}") {
reject
}
}
}
#
# Forbid all attempts to login via realms.
#
deny_realms {
if (User-Name =~ /#|\\/) {
reject
}
}
}
First you need to give your policy a name (like the other policies in the policy section).
policy {
reject_test {
if (User-Name == 'test'){
reject
}
}
}
You then need to list the policy in one of the sections (authorize, authenticate, post-auth etc...) of one of the virtual servers.
See the concepts page in the FreeRADIUS wiki for some basic details about which sections get run and where.
If you're using a stock configuration you'll likely need to edit raddb/sites-available/default.
In this case you probably want to add your policy to the authorize section.
authorize {
reject_test
...
}
You don't actually need to define policies in order to run use the policy language, you could insert your condition directly into the authorize section.
authorize {
if (User-Name == 'test'){
reject
}
}
I'm running a MANET simulation in ns2 using AODV routing protocol. Is there any way I can check whether a node forwards data it receives to the next node in the route or check whether the link between 2 nodes is active?
Try this:
package require http
package require tls
http::register https 443 [list ::tls::socket -tls1 1]
set url "https://google.com"
if {![catch {set token [::http::geturl $url]} msg]} {
if {[::http::status $token] == "ok"} {
#Do something when token is ok for example print HTTTP code
puts [::http::code $token]
} else {
#Do something when status token is not ok
}
} else {
#print error when Url is invalid or host is unreachable
puts "oops: $msg"
}
I am attempting to setup a freeradius service to allow authentication against a https api. And i have it working for most android devices, even my Mac book pro works. However when we attempt to use an iOS device (iPad, iPhone), the inner tunnel fails to get the User-Password field.
so the current setup is EAP -> TTLS -> custom auth
eap.conf ttls section
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
inner-tunnel custom auth
authorize {
...
update control {
Auth-Type := `/usr/local/bin/admin_portal.py %{User-Name} '%{User-Password}' %{Calling-Station-Id}`,
Fall-Through = Yes
}
}
When I run in debug mode, I get the following output
expand: %{User-Name} -> user#somedomain.com
expand: '%{User-Password}' -> ''
expand: %{Calling-Station-Id} -> 01-23-45-67-89-ab
However, when i use a non iOS device, the password is populated.
Any help would be appreciated.
Thank you.
You need a TTLS inner method that sends the password in the clear. The most common method is TTLS-PAP.
If the supplicant authenticates with TTLS-PAP, the proxied request (to the inner tunnel) will contain a User-Password attribute, with the value the user entered (or was cached) by their supplicant.
Below is an example of setting up the profile with the Apple Configurator.