FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode

classic Classic list List threaded Threaded
13 messages Options
| Threaded
Open this post in threaded view
|

FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode

"michael böhm"
Hello everyone

we are successfully using FreeRADIUS for some time now. Now we have two more requirements:

1) Password change in OpenLDAP via FreeRADIUS

FreeRADIUS is connected to an OpenLDAP via the LDAP-module.

We also have Cisco-Devices connected to a tac_plus-Server (http://www.pro-bono-publico.de/projects/tac_plus.html) also using OpenLDAP as backend. In this setup the users can change their LDAP-password via the router's login-prompt after successful authentication with the old password.

Can we implement password changes with FreeRADIUS as well when the NAS supports this or is this a TACACS+-only feature?

2) Next-Token-Mode for RSA SecurID

We are using Two-Factor-Authentication with FreeRADIUS and RSA SecurID. FreeRADIUS / unlang splits the password string in two parts and is sending the last 6 digits as Token to the RSA SecurID Server via Radius for validation. This works fine. However, in rare conditions a re-sync of the Token-device may be necessary so that the RSA SecurID Server is prompting for the next Token. Access-Challenges are used in this case.

Is there a way to handle this in FreeRADIUS?

It would be great if you could point me in the right direction for both use cases and tell me what modules or unlang-statements we could try out to solve this.

Thanks and best wishes

Michael
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode

Alan DeKok-2
On Nov 30, 2018, at 8:57 AM, michael böhm <[hidden email]> wrote:
> we are successfully using FreeRADIUS for some time now. Now we have two more requirements:
>
> 1) Password change in OpenLDAP via FreeRADIUS
> ...
> Can we implement password changes with FreeRADIUS as well when the NAS supports this or is this a TACACS+-only feature?

  It's only TACACS+.

  The good news is that v4 should have a TACACS+ front end.  It was working a few months ago, and then we did some rearchitecture.  So it doesn't work today.  But it's likely only a few days to get it working again.

> 2) Next-Token-Mode for RSA SecurID
>
> We are using Two-Factor-Authentication with FreeRADIUS and RSA SecurID. FreeRADIUS / unlang splits the password string in two parts and is sending the last 6 digits as Token to the RSA SecurID Server via Radius for validation. This works fine. However, in rare conditions a re-sync of the Token-device may be necessary so that the RSA SecurID Server is prompting for the next Token. Access-Challenges are used in this case.
>
> Is there a way to handle this in FreeRADIUS?

  Sure.  There's an rlm_securid module in the server.  That should work.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Aw: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode

"michael böhm"
   Hi Alan,

   thanks for your reply.

   Does "TACACS+ frontend" mean that the NAS has to speak TACACS+? We have
   some that are Radius-only.

   I did not find the rlm_securid-module in my installation. Do I have to
   compile it myself? Is there a documentation somewhere? Does the module
   use the proprietary protocol from RSA or Radius?

   Thank you and best wishes

   Michael

   Gesendet: Freitag, 30. November 2018 um 15:51 Uhr
   Von: "Alan DeKok" <[hidden email]>
   An: "FreeRadius users mailing list"
   <[hidden email]>
   Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID
   Next-Token-Mode
   On Nov 30, 2018, at 8:57 AM, michael böhm <[hidden email]> wrote:
   > we are successfully using FreeRADIUS for some time now. Now we have
   two more requirements:
   >
   > 1) Password change in OpenLDAP via FreeRADIUS
   > ...
   > Can we implement password changes with FreeRADIUS as well when the
   NAS supports this or is this a TACACS+-only feature?
   It's only TACACS+.
   The good news is that v4 should have a TACACS+ front end. It was
   working a few months ago, and then we did some rearchitecture. So it
   doesn't work today. But it's likely only a few days to get it working
   again.
   > 2) Next-Token-Mode for RSA SecurID
   >
   > We are using Two-Factor-Authentication with FreeRADIUS and RSA
   SecurID. FreeRADIUS / unlang splits the password string in two parts
   and is sending the last 6 digits as Token to the RSA SecurID Server via
   Radius for validation. This works fine. However, in rare conditions a
   re-sync of the Token-device may be necessary so that the RSA SecurID
   Server is prompting for the next Token. Access-Challenges are used in
   this case.
   >
   > Is there a way to handle this in FreeRADIUS?
   Sure. There's an rlm_securid module in the server. That should work.
   Alan DeKok.
   -
   List info/subscribe/unsubscribe? See
   [1]http://www.freeradius.org/list/users.html

References

   1. http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode

Alan DeKok-2
On Nov 30, 2018, at 10:24 AM, michael böhm <[hidden email]> wrote:
>   Does "TACACS+ frontend" mean that the NAS has to speak TACACS+? We have
>   some that are Radius-only.

  It means that *FreeRADIUS* can do TACACS+.

>   I did not find the rlm_securid-module in my installation.

  It isn't included with any pre-built packages.

>  Do I have to
>   compile it myself?

  Yes.

> Is there a documentation somewhere? Does the module
>   use the proprietary protocol from RSA or Radius?

  It links to the SecurID libraries.  It's documented in src/modules/rlm_securid/ in the source tree.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Aw: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode

"michael böhm"
   Hi Alan

   we've decided to use the Radius-interface of the SecurID-server and not
   the proprietary protocol.

   Now I need unlang to make the access decision:

   LDAP-Plugin (accept) AND Proxy-Request to SecurID-Server (accept) =
   ACCEPT to NAS

   I tried it like that in the authorize-section but it did not work:

   filter_username
   preprocess

   # %{1} = ldap-password
   # %{2} = Token

   if (User-Password =~ /^(.+)([0-9]{6})$/) {
                           update request {
                                   User-Password := "%{2}"
                           }
                           update control {
                                   Proxy-To-Realm := "securid"
                           }

                           update request {
                                   User-Password := "%{1}"
                           }

                          ldap
   }

   pap

   The proxying itself is working fine but not the correlation of the two
   results.

   Could you please give me a minimal example of how to create this
   and-logic in unlang?

   Thanks and best wishes

   Michael

   Gesendet: Freitag, 30. November 2018 um 16:26 Uhr
   Von: "Alan DeKok" <[hidden email]>
   An: "FreeRadius users mailing list"
   <[hidden email]>
   Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID
   Next-Token-Mode
   On Nov 30, 2018, at 10:24 AM, michael böhm <[hidden email]> wrote:
   > Does "TACACS+ frontend" mean that the NAS has to speak TACACS+? We
   have
   > some that are Radius-only.
   It means that *FreeRADIUS* can do TACACS+.
   > I did not find the rlm_securid-module in my installation.
   It isn't included with any pre-built packages.
   > Do I have to
   > compile it myself?
   Yes.
   > Is there a documentation somewhere? Does the module
   > use the proprietary protocol from RSA or Radius?
   It links to the SecurID libraries. It's documented in
   src/modules/rlm_securid/ in the source tree.
   Alan DeKok.
   -
   List info/subscribe/unsubscribe? See
   [1]http://www.freeradius.org/list/users.html

References

   1. http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode

Alan DeKok-2
On Dec 3, 2018, at 8:00 AM, michael böhm <[hidden email]> wrote:
>   we've decided to use the Radius-interface of the SecurID-server and not
>   the proprietary protocol.

  OK.

>   Now I need unlang to make the access decision:
>
>   LDAP-Plugin (accept) AND Proxy-Request to SecurID-Server (accept) =
>   ACCEPT to NAS
>
>   I tried it like that in the authorize-section but it did not work:

  See the FAQ for "it doesn't work".

>   filter_username
>   preprocess
>
>   # %{1} = ldap-password
>   # %{2} = Token
>
>   if (User-Password =~ /^(.+)([0-9]{6})$/) {
>                           update request {
>                                   User-Password := "%{2}"
>                           }
>                           update control {
>                                   Proxy-To-Realm := "securid"
>                           }
>
>                           update request {
>                                   User-Password := "%{1}"
>                           }
>
>                          ldap
>   }
>
>   pap
>
>   The proxying itself is working fine but not the correlation of the two
>   results.

  What does that mean?

>   Could you please give me a minimal example of how to create this
>   and-logic in unlang?

  My $0.02 is to check the users password *first*, and then proxy to RSA if it passed.


  if (User-Password =~ /^(.+)([0-9]{6})$/) {
                          update request {
                                  User-Password := "%{2}"
                          }

                        # get the "known good" password from LDAP
                         ldap

                        # check the users password
                        # if this fails, the user will be automatically rejected
                        pap.authenticate

                          update control {
                                  Proxy-To-Realm := "securid"
                          }

                          update request {
                                  User-Password := "%{1}"
                          }
  }
 else {
        ... do stuff for non-RSA users ...
  }

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Aw: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode

"michael böhm"
   Hi Alan,

   with your hints I managed to get this running:

           # Case 1: No script-user -> 2FA
           if(User-Name !~ /^sc_.+$/) {
                   # Case 1.1: LDAP-PW + Token
                   if(User-Password =~ /^(.+)([0-9]{6})$/) {
                           update request {
                                   User-Password := "%{1}"
                           }
                           ldap
                           files
                           pap
                           pap.authenticate
                           update request {
                                   User-Password := "%{2}"
                           }
                           update control {
                                   Proxy-To-Realm := "securid"
                           }
                   }
                   # Case 1.2: Just a Token, no LDAP-PW, Next-Token-Mode
                   elsif(State && User-Password =~ /^([0-9]{6})$/) {
                           update control {
                                   Proxy-To-Realm := "securid"
                           }
                   }
           }
           # Case 2: script-user
           else {
                   ldap
                   files
                   pap
           }


   I get the error in freeradius -X:

   (2) Found Auth-Type = PAP
   (2) Found Auth-Type = Accept
   (2) ERROR: Warning:  Found 2 auth-types on request for user '<user>'

   Can I ignore this?

   Only one more problem is to solve:

   In post-auth we have a Perl-script that relies on the groups that come
   from LDAP to make user rights decisions. When we are in Next-Token-Mode
   (case 1.2) we do not query LDAP, so freeradius cannot pass the groups
   to the Perl script.

   Is there a way to tell freeradius to cache the LDAP-groups from the
   last request for case 1.1 and use them in 1.2? If there is no easy way
   I would delete Case 1.2 and tell the user to type in the LDAP-password
   again followed by the next Token.

   Thanks and best wishes

   Michael

   Gesendet: Montag, 03. Dezember 2018 um 14:11 Uhr
   Von: "Alan DeKok" <[hidden email]>
   An: "FreeRadius users mailing list"
   <[hidden email]>
   Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID
   Next-Token-Mode
   On Dec 3, 2018, at 8:00 AM, michael böhm <[hidden email]> wrote:
   > we've decided to use the Radius-interface of the SecurID-server and
   not
   > the proprietary protocol.
   OK.
   > Now I need unlang to make the access decision:
   >
   > LDAP-Plugin (accept) AND Proxy-Request to SecurID-Server (accept) =
   > ACCEPT to NAS
   >
   > I tried it like that in the authorize-section but it did not work:
   See the FAQ for "it doesn't work".
   > filter_username
   > preprocess
   >
   > # %{1} = ldap-password
   > # %{2} = Token
   >
   > if (User-Password =~ /^(.+)([0-9]{6})$/) {
   > update request {
   > User-Password := "%{2}"
   > }
   > update control {
   > Proxy-To-Realm := "securid"
   > }
   >
   > update request {
   > User-Password := "%{1}"
   > }
   >
   > ldap
   > }
   >
   > pap
   >
   > The proxying itself is working fine but not the correlation of the
   two
   > results.
   What does that mean?
   > Could you please give me a minimal example of how to create this
   > and-logic in unlang?
   My $0.02 is to check the users password *first*, and then proxy to RSA
   if it passed.
   if (User-Password =~ /^(.+)([0-9]{6})$/) {
   update request {
   User-Password := "%{2}"
   }
   # get the "known good" password from LDAP
   ldap
   # check the users password
   # if this fails, the user will be automatically rejected
   pap.authenticate
   update control {
   Proxy-To-Realm := "securid"
   }
   update request {
   User-Password := "%{1}"
   }
   }
   else {
   ... do stuff for non-RSA users ...
   }
   Alan DeKok.
   -
   List info/subscribe/unsubscribe? See
   [1]http://www.freeradius.org/list/users.html

References

   1. http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode

Alan DeKok-2
On Dec 3, 2018, at 9:37 AM, michael böhm <[hidden email]> wrote:
>   with your hints I managed to get this running:

  That's good.

>   I get the error in freeradius -X:
>
>   (2) Found Auth-Type = PAP
>   (2) Found Auth-Type = Accept
>   (2) ERROR: Warning:  Found 2 auth-types on request for user '<user>'
>
>   Can I ignore this?

  Yes.  If you upgrade to 3.0.17, the message will go away.

>   Only one more problem is to solve:
>
>   In post-auth we have a Perl-script that relies on the groups that come
>   from LDAP to make user rights decisions. When we are in Next-Token-Mode
>   (case 1.2) we do not query LDAP, so freeradius cannot pass the groups
>   to the Perl script.

  OK.

>   Is there a way to tell freeradius to cache the LDAP-groups from the
>   last request for case 1.1 and use them in 1.2?

  You can cache LDAP groups in the session-state list.  But they're only cached for a series of challenge/ response packets.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Aw: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode

"michael böhm"
   Hi Alan,

   this seems to do exactly what we want:

           # In any case: check the LDAP and local user-file first

           ldap
           files
           # Case 1: No script-user -> 2FA
           if(User-Name !~ /^sc_.+$/) {
                   # Case 1.1: LDAP-PW + Token
                   if(User-Password =~ /^(.+)([0-9]{6})$/) {
                           # LDAP-password in %{1}
                           # Token in %{2}
                           update request {
                                   User-Password := "%{1}"
                           }
                           # Check password and reject if incorrect
                           pap
                           pap.authenticate
                           update request {
                                   User-Password := "%{2}"
                           }
                           # Proxy the request to the SecurID-server
                           update control {
                                   Proxy-To-Realm := "securid"
                           }
                   }
                   # Case 1.2: Just a Token, no LDAP-PW, Next-Token-Mode
                   elsif(State && User-Password =~ /^([0-9]{6})$/) {
                           update control {
                                   Proxy-To-Realm := "securid"
                           }
                   }
           }
           # Case 2: script-user
           else {
                   pap
           }

   Is my elsif(State ...)-statement a robust way to check if this packet
   belongs to a challenge-response of this exact user? I want to avoid
   situations where a user might be able to authenticate with just a Token
   and no password.

   We are testing the configuration now. Thank you very much for your
   help!

   I'll check back in a few weeks regarding the password change / TACACS+
   feature I asked for in my initial mail. For the moment we'll do the
   password changes via a web-interface for the LDAP which is fine.

   Best wishes

   Michael

   Gesendet: Montag, 03. Dezember 2018 um 19:43 Uhr
   Von: "Alan DeKok" <[hidden email]>
   An: "FreeRadius users mailing list"
   <[hidden email]>
   Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID
   Next-Token-Mode
   On Dec 3, 2018, at 9:37 AM, michael böhm <[hidden email]> wrote:
   > with your hints I managed to get this running:
   That's good.
   > I get the error in freeradius -X:
   >
   > (2) Found Auth-Type = PAP
   > (2) Found Auth-Type = Accept
   > (2) ERROR: Warning: Found 2 auth-types on request for user '<user>'
   >
   > Can I ignore this?
   Yes. If you upgrade to 3.0.17, the message will go away.
   > Only one more problem is to solve:
   >
   > In post-auth we have a Perl-script that relies on the groups that
   come
   > from LDAP to make user rights decisions. When we are in
   Next-Token-Mode
   > (case 1.2) we do not query LDAP, so freeradius cannot pass the groups
   > to the Perl script.
   OK.
   > Is there a way to tell freeradius to cache the LDAP-groups from the
   > last request for case 1.1 and use them in 1.2?
   You can cache LDAP groups in the session-state list. But they're only
   cached for a series of challenge/ response packets.
   Alan DeKok.
   -
   List info/subscribe/unsubscribe? See
   [1]http://www.freeradius.org/list/users.html

References

   1. http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode

Alan DeKok-2
On Dec 4, 2018, at 7:37 AM, michael böhm <[hidden email]> wrote:
>   Is my elsif(State ...)-statement a robust way to check if this packet
>   belongs to a challenge-response of this exact user?

  It's:

a) the user specified in the User-Name, and

b) a response to a previous Access-Challenge.

> I want to avoid
>   situations where a user might be able to authenticate with just a Token
>   and no password.

  Unless the user controls the RADIUS client, they can't generate an Access-Request that contains a State attribute.

>   We are testing the configuration now. Thank you very much for your
>   help!

  You're welcome.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Aw: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode

"michael böhm"
Hi,

regarding the LDAP-password change (question in my initial mail) I managed to create this configuration:

authorize {

        filter_username

        preprocess

        # empty password which triggers password-change
        if (User-Password =~ /^$/ && !State) {

                update reply {
                        Reply-Message := "Old Password: "

                        # Setting the Prompt via radius did not work here, instead this had to be configured on the Cisco-Router
                        # radius-server challenge-noecho
                        Prompt := No-Echo
                }

                update session-state {
                        Tmp-String-0 := "Old-Password-Phase"
                }

                challenge
        }
        # password-change, query for new password
        elsif (&session-state:Tmp-String-0 && &session-state:Tmp-String-0 =~ /^Old-Password-Phase$/ && State) {

                ldap
                pap
                pap.authenticate

                update reply {
                        Reply-Message := "New Password: "
                        Prompt := No-Echo
                }

                update session-state {
                        Tmp-String-0 := "New-Password-Phase-1"
                }

                challenge
        }
        # password-change, query for new password again
        elsif (&session-state:Tmp-String-0 && &session-state:Tmp-String-0 =~ /^New-Password-Phase-1$/ && State) {

                update reply {
                        Reply-Message := "New Password (repeat): "
                        Prompt := No-Echo
                }

                update session-state {
                        Tmp-String-1 := User-Password
                        Tmp-String-0 := "New-Password-Phase-2"
                }

                challenge
        }
        # compare both and write it to LDAP
        elsif (&session-state:Tmp-String-0 && &session-state:Tmp-String-0 =~ /^New-Password-Phase-2$/ && State) {

                if(User-Password != &session-state:Tmp-String-1) {

                        update reply {
                                Reply-Message := "Passwords do not match.\n"
                        }

                        reject
                }
               
                # Call a script that finally writes the new password to LDAP (tbd)
                perl

        }
        else {
                ldap
                pap
        }
}

Which creates these prompts on a Cisco-router:

root@dn-aaa-rad1:~# ssh user@cisco-router
Password:
Old Password:
New Password:
New Password (repeat):
 
This should work but wouldn't it be a good idea to give the freeradius ldap module a method to change the password so that there is just one program talking to the LDAP?

Best wishes

Michael

Gesendet: Dienstag, 04. Dezember 2018 um 13:43 Uhr
Von: "Alan DeKok" <[hidden email]>
An: "FreeRadius users mailing list" <[hidden email]>
Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode
On Dec 4, 2018, at 7:37 AM, michael böhm <[hidden email]> wrote:
> Is my elsif(State ...)-statement a robust way to check if this packet
> belongs to a challenge-response of this exact user?

It's:

a) the user specified in the User-Name, and

b) a response to a previous Access-Challenge.

> I want to avoid
> situations where a user might be able to authenticate with just a Token
> and no password.

Unless the user controls the RADIUS client, they can't generate an Access-Request that contains a State attribute.

> We are testing the configuration now. Thank you very much for your
> help!

You're welcome.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode

arr2036

> This should work but wouldn't it be a good idea to give the freeradius ldap module a method to change the password so that there is just one program talking to the LDAP?

You can hack it in today using v3.0.x and ldap.post-auth.

There's not really a password change action/section, but this does seem like a useful feature, so maybe add a ticket on the GitHub issue tracker.

-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Aw: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode

"michael böhm"
Opened:

https://github.com/FreeRADIUS/freeradius-server/issues/2371

I hope that I put all necessary information in.

Best wishes

Michael
 

Gesendet: Mittwoch, 12. Dezember 2018 um 15:11 Uhr
Von: "Arran Cudbard-Bell" <[hidden email]>
An: "FreeRadius users mailing list" <[hidden email]>
Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode
> This should work but wouldn't it be a good idea to give the freeradius ldap module a method to change the password so that there is just one program talking to the LDAP?

You can hack it in today using v3.0.x and ldap.post-auth.

There's not really a password change action/section, but this does seem like a useful feature, so maybe add a ticket on the GitHub issue tracker.

-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html