Best/fastest method to query external radius OTP

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

Best/fastest method to query external radius OTP

nash35
Hello dear users. Could you help ?
We have a freeradius 3.0.x configuration working
- Authorization with LDAP
- Authentication with LDAP, backup to files

Now trying to get validation from OTP provider

Needs to send a radius request with User-Name="myusername",
User-Password="push" (this one is always "push", not the original pwd). The
"push" words triggers a push notification on mobile that needs to be
answered, and then OTP provider radius answers with accept or reject.

I have tried radclient (working in console mode) with exec module, but
having some issues to move it to rlm_exec module (piping data I think).

So far reached

exec myotp {
        input_pairs = request
        wait = yes
        timeout = 30
        program = "/bin/echo \"User-Name=$USER_NAME,User-Password=push\" |
/bin/radclient -r 1 -t 20 xx.xx.xx.xx:1812 auth mysecret"
        }
Of course still missing the testing of what the command returns.

But this does not work. Seems piping is not working and I can not push two
commands there.
An idea where is the issue ?

Is there a better or fastest way ?

thanks

nash35
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Best/fastest method to query external radius OTP

Alejandro Perez-Mendez
Never used the exec module, but I guess it's not a shell interpreter, so
pipes won't work.
You could run it as 'sh -c "my_command_with_pipes"'

Cheers,
Alex

El 18/6/20 a las 10:35, Dominique Wille escribió:

> Hello dear users. Could you help ?
> We have a freeradius 3.0.x configuration working
> - Authorization with LDAP
> - Authentication with LDAP, backup to files
>
> Now trying to get validation from OTP provider
>
> Needs to send a radius request with User-Name="myusername",
> User-Password="push" (this one is always "push", not the original pwd). The
> "push" words triggers a push notification on mobile that needs to be
> answered, and then OTP provider radius answers with accept or reject.
>
> I have tried radclient (working in console mode) with exec module, but
> having some issues to move it to rlm_exec module (piping data I think).
>
> So far reached
>
> exec myotp {
>          input_pairs = request
>          wait = yes
>          timeout = 30
>          program = "/bin/echo \"User-Name=$USER_NAME,User-Password=push\" |
> /bin/radclient -r 1 -t 20 xx.xx.xx.xx:1812 auth mysecret"
>          }
> Of course still missing the testing of what the command returns.
>
> But this does not work. Seems piping is not working and I can not push two
> commands there.
> An idea where is the issue ?
>
> Is there a better or fastest way ?
>
> thanks
>
> nash35
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--
Alejandro Perez-Mendez
Technical Specialist (AAA), Trust & Identity
Skype alejandro_perez_mendez
jisc.ac.uk


Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under company number. 05747339, VAT number GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.


Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 02881024, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.


Jisc Commercial Limited is a wholly owned Jisc subsidiary and a company limited by shares which is registered in England under company number 09316933, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.


For more details on how Jisc handles your data see our privacy notice here: https://www.jisc.ac.uk/website/privacy-notice

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Best/fastest method to query external radius OTP

Alan DeKok-2
In reply to this post by nash35
On Jun 18, 2020, at 4:35 AM, Dominique Wille <[hidden email]> wrote:

>
> Hello dear users. Could you help ?
> We have a freeradius 3.0.x configuration working
> - Authorization with LDAP
> - Authentication with LDAP, backup to files
>
> Now trying to get validation from OTP provider
>
> Needs to send a radius request with User-Name="myusername",
> User-Password="push" (this one is always "push", not the original pwd). The
> "push" words triggers a push notification on mobile that needs to be
> answered, and then OTP provider radius answers with accept or reject.
>
> I have tried radclient (working in console mode) with exec module, but
> having some issues to move it to rlm_exec module (piping data I think).

  Why not just proxy the packet?

  You can re-write the password in the "pre-proxy" section.   That's what it's for.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html