2FA Challenge via Proxy Realm with valid State

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

2FA Challenge via Proxy Realm with valid State

maddogbill
Hi,

I was hoping to follow the clearly written Wiki article:
https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy

My problem is that the 2FA Radius Proxy used to verify the OTP requires a
valid State value, so currently the login process is a 3 step process! I
have allowed State in the Pre-Proxy Attributes filter.

So the current flow is:
1) Username/Password request via AD LDAP
2) Unsuccessful OTP request with invalid State value ( returns valid State
value from the remote OTP Radius server )
3) Successful OTP request

Anyone able to suggest how I go about getting a valid State value from the
OTP radius during the first Access-Request so that the
first Access-Challenge response contains this valid State value?

Thanks,
Bill
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: 2FA Challenge via Proxy Realm with valid State

Alan DeKok-2
On Feb 12, 2020, at 10:47 AM, Bill Noyce <[hidden email]> wrote:
> I was hoping to follow the clearly written Wiki article:
> https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy

  OK.

> My problem is that the 2FA Radius Proxy used to verify the OTP requires a
> valid State value, so currently the login process is a 3 step process! I
> have allowed State in the Pre-Proxy Attributes filter.
>
> So the current flow is:
> 1) Username/Password request via AD LDAP
> 2) Unsuccessful OTP request with invalid State value ( returns valid State
> value from the remote OTP Radius server )

  More correctly *no* State.

  The State is created by the home server, and sent in an Access-Challenge.

> 3) Successful OTP request
>
> Anyone able to suggest how I go about getting a valid State value from the
> OTP radius during the first Access-Request so that the
> first Access-Challenge response contains this valid State value?

  Proxy the original Access-Request to the OTP radius.  However, doing this involves checking the users password in the "authorize" section:

authorize {
        if (!State) {
                if (&User-Password) {
                        # If !State and User-Password (PAP), then force LDAP:
                        update control {
                                Ldap-UserDN := "%{User-Name}@my-domain.com"
                        }
                }

                # run the "authenticate" method of "ldap"
                ldap.authenticate
                if (!ok) {
                        reject
                }
                update control {
                        Proxy-To-Realm := "foo"
                }
        ...

}

  Something like that should work.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: 2FA Challenge via Proxy Realm with valid State

maddogbill
In reply to this post by maddogbill
Thanks Alan,

Your advise was spot on. I moved/added the ldap.authenticate so that both
steps use the Proxy-To-Realm and this meant the correct Access-Challenge
response is sent during the first step.

if (!State) {
        if (&User-Password) {
                # If !State and User-Password (PAP), then force LDAP:
                update control {
                        Ldap-UserDN := "%{User-Name}@my-domain.com"
                        Auth-Type := LDAP
                }
                ldap.authenticate
                if (!ok) {
                        reject
                }
        } else {
                reject
        }
}
update control {
        Proxy-To-Realm := "proxy-test"
}

I kept 2 rejects for both a missing User-Password and an invalid LDAP bind.
the Proxy-To-Realm always fires off.


[user@test-vm ~]$ echo "User-Name=testuser,User-Password=testpassword"
|radclient -x 127.0.0.1:1812 auth test1234
Sent Access-Request Id 35 from 0.0.0.0:52833 to 127.0.0.1:1812 length 46
        User-Name = "testuser"
        User-Password = "testpassword"
        Cleartext-Password = "testpassword"
Received Access-Challenge Id 35 from 127.0.0.1:1812 to 0.0.0.0:0 length 117
        Reply-Message = "Enter a response from your token with serial
number 01234-45678."
        State = 0x49475261646975733a4445562d455345432d483230333a313831323a31
(0) -: Expected Access-Accept got Access-Challenge

[user@test-vm ~]$ echo
"User-Name=testuser,User-Password=27938732,State=0x49475261646975733a4445562d455345432d483230333a313831323a31"
|radclient -x 127.0.0.1:1812 auth test1234
Sent Access-Request Id 178 from 0.0.0.0:33432 to 127.0.0.1:1812 length 77
        User-Name = "testuser"
        User-Password = "27938732"
        State = 0x49475261646975733a4445562d455345432d483230333a313831323a31
        Cleartext-Password = "27938732"
Received Access-Accept Id 178 from 127.0.0.1:1812 to 0.0.0.0:0 length 20


Thanks again,
Bill
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: 2FA Challenge via Proxy Realm with valid State

Alan DeKok-2
On Feb 13, 2020, at 5:11 AM, Bill Noyce <[hidden email]> wrote:
>
> Your advise was spot on. I moved/added the ldap.authenticate so that both
> steps use the Proxy-To-Realm and this meant the correct Access-Challenge
> response is sent during the first step.

  Goos to hear.

> if (!State) {
>        if (&User-Password) {
>                # If !State and User-Password (PAP), then force LDAP:
>                update control {
>                        Ldap-UserDN := "%{User-Name}@my-domain.com"
>                        Auth-Type := LDAP

  You don't need "Auth-Type := LDAP" here.  It can be deleted.

>                }
>                ldap.authenticate
>                if (!ok) {
>                        reject
>                }
>        } else {
>                reject
>        }
> }
> update control {
>        Proxy-To-Realm := "proxy-test"
> }
>
> I kept 2 rejects for both a missing User-Password and an invalid LDAP bind.
> the Proxy-To-Realm always fires off.

  Good!

  FreeRADIUS can do almost anything. :)

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html