Fwd: Not able to send a challenge

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Fwd: Not able to send a challenge

ngoetz24
> I’m not sure what I am doing wrong.  I am trying to use eap-tls to authenticate users against active directory, and if it passes, I want to prompt the user to enter their OTP.  This is all working with PAP, but I want to use eap-tls since it is more secure.  Everything works fine with the windows authentication, but as soon as I uncomment out the “challenge” line in the code below, I get the following error:
>  
> (6) ntlm_auth: Program executed successfully
> (6)       [ntlm_auth] = ok
> (6)       if (ok) {
> (6)       if (ok)  -> TRUE
> (6)       if (ok)  {
> (6)         update reply {
> (6)           Reply-Message := "Please enter OTP"
> (6)         } # update reply = noop
> (6)         policy challenge {
> (6)           update control {
> (6)             &Response-Packet-Type = Access-Challenge
> (6)           } # update control = noop
> (6)           [handled] = handled
> (6)         } # policy challenge = handled
> (6)       } # if (ok)  = handled
> (6)     } # Auth-Type ntlm_auth = handled
> (6) } # server inner-tunnel
> (6) Virtual server sending reply
> (6)   Reply-Message := "Please enter OTP"
> (6) eap_ttls: No tunneled reply was found for request 6 , and the request was not proxied: rejecting the user.
> (6) eap: ERROR: Failed continuing EAP TTLS (21) session.  EAP sub-module failed
> (6) eap: Sending EAP Failure (code 4) ID 6 length 4
> (6) eap: Failed in EAP select
> (6)     [eap] = invalid
> (6)   } # Auth-Type eap = invalid
> (6) Failed to authenticate the user
> (6) Using Post-Auth-Type Reject
> (6) Post-Auth-Type sub-section not found.  Ignoring.
>  
>  
> I only get this error when I try to send out a challenge.  If I comment out the challenge line, then everything works, except then user does not get promted for their OTP and are allowed to authentice using only their domain password.
>  
> Here is a copy of my inner-tunnel config:
>  
>  
> server inner-tunnel {
>  
>  
> listen {
>        ipaddr = 127.0.0.1
>        port = 18120
>        type = auth
> }
>  
>  
> authorize {
> if (!State) {
>                                 if (&User-Password) {
>                                                 update control {
>                                                                 Auth-Type = ntlm_auth
>                                                 }
>                                 }
>                                 else {
>                                                 reject
>                                 }
>                 }
>                 else {
>                                                 # If State, then proxy request:
>                                 update control {
>                                                                 Proxy-To-Realm := "otp"
>                                 }
>                 }
> }
>  
>  
> authenticate {
>  
>                 Auth-Type ntlm_auth {
>                                 ntlm_auth
>                                                 if (ok) {
>                                                                 update reply {
>                                                                                 # Create a random State attribute:
> #                                                                             State := "%{randstr:aaaaaaaaaaaaaaaa}"
>                                                                                 Reply-Message := "Please enter OTP"
>                                                                 }
>                                                                 # Return Access-Challenge:
> #                                                             challenge
>                                                 }                            
>                 }
>  
> }
>  
> session {
>                 radutmp
> }
>  
> post-auth {
>  
>                 #if (0) {
>                                 update reply {
>                                                 User-Name !* ANY
>                                                 Message-Authenticator !* ANY
>                                                 EAP-Message !* ANY
>                                                 Proxy-State !* ANY
>                                                 MS-MPPE-Encryption-Types !* ANY
>                                                 MS-MPPE-Encryption-Policy !* ANY
>                                                 MS-MPPE-Send-Key !* ANY
>                                                 MS-MPPE-Recv-Key !* ANY
>                                 }
>  
>                                 update {
>                                                 &outer.session-state: += &reply:
>                                 }
>                 #}
>  
>                 Post-Auth-Type REJECT {
>                                 -sql
>                                 attr_filter.access_reject
>                                 update outer.session-state {
>                                                 &Module-Failure-Message := &request:Module-Failure-Message
>                                 }
>                 }
> }
>  
> pre-proxy {
> }
>  
> post-proxy {
>  
>                 eap
> }
>  
> }
>  
>  
> Any help that someone could give me to point me in the right direction would be greatly appreciated.
>  
> Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Not able to send a challenge

Alan DeKok-2


> On Sep 6, 2019, at 12:41 PM, ngoetz75 <[hidden email]> wrote:
>
>> I’m not sure what I am doing wrong.  I am trying to use eap-tls to authenticate users against active directory,

  EAP-TLS authenticates users by certificate.  It doesn't need / use AD.

  The most you could do is to check the username against the user ID in AD.  If the user exists, keep going with EAP-TLS.  Otherwise reject them.

>> and if it passes, I want to prompt the user to enter their OTP.

  EAP-TLS doesn't use passwords.  Therefore it doesn't use OTP.

  Maybe you mean TTLS?

>>  This is all working with PAP, but I want to use eap-tls since it is more secure.  Everything works fine with the windows authentication, but as soon as I uncomment out the “challenge” line in the code below, I get the following error:
>>
>> (6) ntlm_auth: Program executed successfully
>> (6)       [ntlm_auth] = ok
>> (6)       if (ok) {
>> (6)       if (ok)  -> TRUE
>> (6)       if (ok)  {
>> (6)         update reply {
>> (6)           Reply-Message := "Please enter OTP"
>> (6)         } # update reply = noop
>> (6)         policy challenge {
>> (6)           update control {
>> (6)             &Response-Packet-Type = Access-Challenge
>> (6)           } # update control = noop
>> (6)           [handled] = handled
>> (6)         } # policy challenge = handled
>> (6)       } # if (ok)  = handled
>> (6)     } # Auth-Type ntlm_auth = handled
>> (6) } # server inner-tunnel
>> (6) Virtual server sending reply
>> (6)   Reply-Message := "Please enter OTP"
>> (6) eap_ttls: No tunneled reply was found for request 6 , and the request was not proxied: rejecting the user.

  Yes.  EAP-TTLS has a fixed packet flow.  You can't just inject something new and expect it to work.

  If you want OTP challenge / response with EAP-TTLS, you have to use EAP-GTC in the inner tunnel.  PAP won't work.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html