Error 2FA - AD password and external OTP via RADIUS proxy

classic Classic list List threaded Threaded
9 messages Options
| Threaded
Open this post in threaded view
|

Error 2FA - AD password and external OTP via RADIUS proxy

Users mailing list
Hi


I configure at https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy But there was an error /etc/freeradius/3.0/sites-enabled/proxy[2]: Invalid location for 'if' Any ideas FreeRADIUS Version 3.0.1
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Error 2FA - AD password and external OTP via RADIUS proxy

Alan DeKok-2
On Mar 11, 2020, at 7:21 AM, Клеусов Владимир Сергеевич via Freeradius-Users <[hidden email]> wrote:
>
> I configure at https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy But there was an error /etc/freeradius/3.0/sites-enabled/proxy[2]: Invalid location for 'if' Any ideas FreeRADIUS Version 3.0.1

  Upgrade to 3.0.20.  It has many bugs fixed.

  And no, you didn't follow that guide.  The guide is pretty clear where the "if" statements go.  It gives you filenames.

  The server configuration is well documented.  You can't just add random things to random configuration files, and expect that they do what you want.

  Alan DeKok.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Error 2FA - AD password and external OTP via RADIUS proxy

Users mailing list
Thanks. Bug fixed. Can I configure radtest for a 2fa request ? Now, after radtest testuser testpasswd 10.42.2.36 1812 testing123
Received Access-Challenge Id 160 from 10.42.2.36:1812 to 0.0.0.0:0 length 56
        State = 0x575a6b39676f34544332324f584d357a
        Reply-Message = "Please enter OTP»
That is I don't understand if 2fa works or not

> 11 марта 2020 г., в 14:27, Alan DeKok <[hidden email]> написал(а):
>
> On Mar 11, 2020, at 7:21 AM, Клеусов Владимир Сергеевич via Freeradius-Users <[hidden email]> wrote:
>>
>> I configure at https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy But there was an error /etc/freeradius/3.0/sites-enabled/proxy[2]: Invalid location for 'if' Any ideas FreeRADIUS Version 3.0.1
>
>  Upgrade to 3.0.20.  It has many bugs fixed.
>
>  And no, you didn't follow that guide.  The guide is pretty clear where the "if" statements go.  It gives you filenames.
>
>  The server configuration is well documented.  You can't just add random things to random configuration files, and expect that they do what you want.
>
>  Alan DeKok.
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Error 2FA - AD password and external OTP via RADIUS proxy

Users mailing list
F2A test, add it to your ssh login and enable it and test it.
Thats easy todo..

Just make sure you 2 ! Extra sessions logged in before you enable it.
If your on debian/ubuntu.
https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04

What is easy todo for a test.


Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: Freeradius-Users
> [mailto:freeradius-users-bounces+belle=[hidden email]
> ius.org] Namens ?????????????? ????????????????
> ?????????????????? via Freeradius-Users
> Verzonden: woensdag 11 maart 2020 13:18
> Aan: FreeRadius users mailing list
> CC: ?????????????? ???????????????? ??????????????????
> Onderwerp: Re: Error 2FA - AD password and external OTP via
> RADIUS proxy
>
> Thanks. Bug fixed. Can I configure radtest for a 2fa request
> ? Now, after radtest testuser testpasswd 10.42.2.36 1812 testing123
> Received Access-Challenge Id 160 from 10.42.2.36:1812 to
> 0.0.0.0:0 length 56
> State = 0x575a6b39676f34544332324f584d357a
> Reply-Message = "Please enter OTP»
> That is I don't understand if 2fa works or not
>
> > 11 ?????????? 2020 ??., ?? 14:27, Alan DeKok
> <[hidden email]> ??????????????(??):
> >
> > On Mar 11, 2020, at 7:21 AM, ??????????????
> ???????????????? ?????????????????? via Freeradius-Users
> <[hidden email]> wrote:
> >>
> >> I configure at
> https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Pr
> oxy But there was an error
> /etc/freeradius/3.0/sites-enabled/proxy[2]: Invalid location
> for 'if' Any ideas FreeRADIUS Version 3.0.1
> >
> >  Upgrade to 3.0.20.  It has many bugs fixed.
> >
> >  And no, you didn't follow that guide.  The guide is pretty
> clear where the "if" statements go.  It gives you filenames.
> >
> >  The server configuration is well documented.  You can't
> just add random things to random configuration files, and
> expect that they do what you want.
> >
> >  Alan DeKok.
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Error 2FA - AD password and external OTP via RADIUS proxy

Users mailing list
In freeradius logs, this is ldap: Bind credentials incorrect: Invalid credentials): [testuser/testpasswd2217287
First the request for a normal password and then the otp  2217287
What's wrong ?

11 марта 2020 г., в 15:28, L.P.H. van Belle via Freeradius-Users <[hidden email]<mailto:[hidden email]>> написал(а):

F2A test, add it to your ssh login and enable it and test it.
Thats easy todo..

Just make sure you 2 ! Extra sessions logged in before you enable it.
If your on debian/ubuntu.
https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04

What is easy todo for a test.


Greetz,

Louis


-----Oorspronkelijk bericht-----
Van: Freeradius-Users
[mailto:freeradius-users-bounces+belle=[hidden email]
ius.org<http://ius.org/>] Namens ?????????????? ????????????????
?????????????????? via Freeradius-Users
Verzonden: woensdag 11 maart 2020 13:18
Aan: FreeRadius users mailing list
CC: ?????????????? ???????????????? ??????????????????
Onderwerp: Re: Error 2FA - AD password and external OTP via
RADIUS proxy

Thanks. Bug fixed. Can I configure radtest for a 2fa request
? Now, after radtest testuser testpasswd 10.42.2.36 1812 testing123
Received Access-Challenge Id 160 from 10.42.2.36:1812 to
0.0.0.0:0 length 56
State = 0x575a6b39676f34544332324f584d357a
Reply-Message = "Please enter OTP»
That is I don't understand if 2fa works or not

11 ?????????? 2020 ??., ?? 14:27, Alan DeKok
<[hidden email]<mailto:[hidden email]>> ??????????????(??):

On Mar 11, 2020, at 7:21 AM, ??????????????
???????????????? ?????????????????? via Freeradius-Users
<[hidden email]<mailto:[hidden email]>> wrote:

I configure at
https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Pr
oxy But there was an error
/etc/freeradius/3.0/sites-enabled/proxy[2]: Invalid location
for 'if' Any ideas FreeRADIUS Version 3.0.1

Upgrade to 3.0.20.  It has many bugs fixed.

And no, you didn't follow that guide.  The guide is pretty
clear where the "if" statements go.  It gives you filenames.

The server configuration is well documented.  You can't
just add random things to random configuration files, and
expect that they do what you want.

Alan DeKok.



-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Error 2FA - AD password and external OTP via RADIUS proxy

Alan DeKok-2
On Mar 11, 2020, at 10:31 AM, Клеусов Владимир Сергеевич via Freeradius-Users <[hidden email]> wrote:
>
> In freeradius logs, this is ldap: Bind credentials incorrect: Invalid credentials): [testuser/testpasswd2217287
> First the request for a normal password and then the otp  2217287
> What's wrong ?

  The user entered the password followed by the OTP, all as one field.  Then, you configured FreeRADIUS to send all that to LDAP.

  The general practice is to put the 6-digit OTP first, then the password.  Then, split them via something like this:

        if (User-Password =~ /^(......)(.*)$/)  {
                update request {
                        User-Password := "%{2}"
                        OTP-Password := "%{1}"
                }
        }

  You will need to edit raddb/dictionary in order to define OTP-Password.

  This lets you use User-Password as normal to connect to LDAP, and authenticate the user.

  You can then check OTP-Password however you want.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Error 2FA - AD password and external OTP via RADIUS proxy

Users mailing list
Configured as follows:
One freeradius is configured like this:
https://wiki.freeradius.org/guide/2FA-A ... plus-Proxy

 The second freeradius is configured as follows:
https://www.linotp.org/howtos/howto-radius.html

That is, the idea is first go for the username /password in LDAP, then get a temporary password and check it

 The problem is that it doesn't work:
Login incorrect (ldap: Bind credentials incorrect: Invalid credentials): [testuser/testpasswordOTP]

 In other words, passwords are glued together.

I don 't understand how to configure it

>> The general practice is to put the 6-digit OTP first, then the password.  Then, split them via something like this:
>>
>> if (User-Password =~ /^(......)(.*)$/)  {
>> update request {
>> User-Password := "%{2}"
>> OTP-Password := "%{1}"
>> }
>> }
>>
>> You will need to edit raddb/dictionary in order to define OTP-Password.



> 12 марта 2020 г., в 11:05, Клеусов Владимир Сергеевич <[hidden email]> написал(а):
>
> Thanks.
> In which file do I need to separate the LDAP and OTP password ?
> How do I edit a dictionary ?
>
>> 11 марта 2020 г., в 23:42, Alan DeKok <[hidden email]> написал(а):
>>
>> On Mar 11, 2020, at 10:31 AM, Клеусов Владимир Сергеевич via Freeradius-Users <[hidden email]> wrote:
>>>
>>> In freeradius logs, this is ldap: Bind credentials incorrect: Invalid credentials): [testuser/testpasswd2217287
>>> First the request for a normal password and then the otp  2217287
>>> What's wrong ?
>>
>> The user entered the password followed by the OTP, all as one field.  Then, you configured FreeRADIUS to send all that to LDAP.
>>
>> The general practice is to put the 6-digit OTP first, then the password.  Then, split them via something like this:
>>
>> if (User-Password =~ /^(......)(.*)$/)  {
>> update request {
>> User-Password := "%{2}"
>> OTP-Password := "%{1}"
>> }
>> }
>>
>> You will need to edit raddb/dictionary in order to define OTP-Password.
>>
>> This lets you use User-Password as normal to connect to LDAP, and authenticate the user.
>>
>> You can then check OTP-Password however you want.
>>
>> Alan DeKok.
>>
>


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Fwd: Error 2FA - AD password and external OTP via RADIUS proxy

Users mailing list
Perhaps I need to split passwords in a script and log in using a split password ?
 # If State, then proxy request:
                update control {
                Proxy-To-Realm := "proxy-test"
                Auth-Type := /bin/bash -f /etc/freeradius/3.0/scripts/otp.sh '%{User-Name}' '%{User-Password}'

    }



Начало переадресованного сообщения:

Отправитель: Владимир Клеусов <[hidden email]<mailto:[hidden email]>>
Тема: Ответ: Error 2FA - AD password and external OTP via RADIUS proxy
Дата: 16 марта 2020 г. в 15:34:51 GMT+3
Кому: FreeRadius users mailing list <[hidden email]<mailto:[hidden email]>>

Configured as follows:
One freeradius is configured like this:
https://wiki.freeradius.org/guide/2FA-A ... plus-Proxy

The second freeradius is configured as follows:
https://www.linotp.org/howtos/howto-radius.html

That is, the idea is first go for the username /password in LDAP, then get a temporary password and check it

The problem is that it doesn't work:
Login incorrect (ldap: Bind credentials incorrect: Invalid credentials): [testuser/testpasswordOTP]

In other words, passwords are glued together.

I don 't understand how to configure it

The general practice is to put the 6-digit OTP first, then the password.  Then, split them via something like this:

if (User-Password =~ /^(......)(.*)$/)  {
update request {
User-Password := "%{2}"
OTP-Password := "%{1}"
}
}

You will need to edit raddb/dictionary in order to define OTP-Password.



12 марта 2020 г., в 11:05, Клеусов Владимир Сергеевич <[hidden email]> написал(а):

Thanks.
In which file do I need to separate the LDAP and OTP password ?
How do I edit a dictionary ?

11 марта 2020 г., в 23:42, Alan DeKok <[hidden email]> написал(а):

On Mar 11, 2020, at 10:31 AM, Клеусов Владимир Сергеевич via Freeradius-Users <[hidden email]> wrote:

In freeradius logs, this is ldap: Bind credentials incorrect: Invalid credentials): [testuser/testpasswd2217287
First the request for a normal password and then the otp  2217287
What's wrong ?

The user entered the password followed by the OTP, all as one field.  Then, you configured FreeRADIUS to send all that to LDAP.

The general practice is to put the 6-digit OTP first, then the password.  Then, split them via something like this:

if (User-Password =~ /^(......)(.*)$/)  {
update request {
User-Password := "%{2}"
OTP-Password := "%{1}"
}
}

You will need to edit raddb/dictionary in order to define OTP-Password.

This lets you use User-Password as normal to connect to LDAP, and authenticate the user.

You can then check OTP-Password however you want.

Alan DeKok.




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Error 2FA - AD password and external OTP via RADIUS proxy

Alan DeKok-2


> On Mar 18, 2020, at 4:27 AM, Клеусов Владимир Сергеевич via Freeradius-Users <[hidden email]> wrote:
>
> Perhaps I need to split passwords in a script and log in using a split password ?

  Check the previous replies.  I said exactly how to do this.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html