Use 2 modules to auth together.

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

Use 2 modules to auth together.

luckydog xf
hi, all,

    Any way to handle a second access request?

   Our user is in AD and VPN will do an MSCHAP authentication first and
filter property of  User-Name from access request,  then call an
access-challenge to verify against  the other module whose logic is as
simple as starting a http request via http://XXX/check/username=
<http://xxx/check/username=><USER-NAME>&OTP=<xxxxxx>, if return 200, it's
ok.

   Basically, I want to auth a single login against two modules, only both
of them are successful, the auth could be deemed as OK.

# site-enabled/default

authorize {

      if (!State) {
                # MS-CHAP has no User-Password, so it's true.
                if (!User-Password )  {
                        # If !State and User-Password is null, then goes to
MS-CHAP:
                        update  {
                                &control:Auth-Type := MS-CHAP
                        }
                }
                else {
                        reject
                }
        }
        else {
        # The 2nd auth module.
        # I DON'T KNOW HOW TO WRITE.
                }
        }
}

# ### authentication #####
authentication {
       Auth-Type MS-CHAP {
                mschap
                if (ok) {
                        update reply {
                                # Create a random State attribute:
                                State := "%{randstr:XXXXXXXXXXXXX}"
                                Reply-Message := "Please type your OTP:"
                        }
                        # Return Access-Challenge, goes to the 2nd auth.
                        challenge
                }
        }
}

Thanks a lot.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Use 2 modules to auth together.

Alan DeKok-2
On Nov 26, 2018, at 2:42 AM, luckydog xf <[hidden email]> wrote:
>   Our user is in AD and VPN will do an MSCHAP authentication first and
> filter property of  User-Name from access request,  then call an
> access-challenge to verify against  the other module whose logic is as
> simple as starting a http request via http://XXX/check/username=
> <http://xxx/check/username=><USER-NAME>&OTP=<xxxxxx>, if return 200, it's
> ok.

  That's really just more authorization.

>   Basically, I want to auth a single login against two modules, only both
> of them are successful, the auth could be deemed as OK.

   That's possible, subject to certain caveats.

> # ### authentication #####
> authentication {
>       Auth-Type MS-CHAP {
>                mschap
>                if (ok) {
>                        update reply {
>                                # Create a random State attribute:
>                                State := "%{randstr:XXXXXXXXXXXXX}"
>                                Reply-Message := "Please type your OTP:"
>                        }
>                        # Return Access-Challenge, goes to the 2nd auth.
>                        challenge

  That's good, but it likely won't work due to the NAS.  Doing OTP like that requires support from the NAS.  Does the NAS support doing MS-CHAP and then receiving an Access-Challenge?

  If it does, then your next step is to write down what you want to happen, like this:

1) packet 1 contains MS-CHAP
2) it authenticates agains MS-CHAP
3) if MS-CHAP is successful, it returns a State, challenge, and reply message
4) when the next packet comes in with a state attribute, authenticate the OTP

  Note that the packet in step 4 *should not* contain any MS-CHAP attributes.  It should just contain the response to the OTP.

  So your freeradius configuration is:

1) run MS-CHAP like normal
2) do state / reply-message / challenge in "Auth-Type MS-CHAP"

  As a *separate* item:

3) if packet contains State
4) do OTP verification

  The only thing tying the two packets together is the State attribute.  They are otherwise completely independent.

  Alan DeKok.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Use 2 modules to auth together.

luckydog xf
Thank, Alan, you enlighten me.

Turns out  NAS( my VPN) does not support Access-Challenge.  Googled and
found  that Challenge seems to be a speical access-request  packet with the
Code field set to 11. So can I make the conclusion that  it would send an
access-quest again?  in other words, start a new authentication process
like another normal request with an exception that State attribute exists.

Let me suppose my VPN supports Access-Challenge, so my configuation is
something like:
-------------------------------

authorize {
      # The first auth does not have any State attribute.
      if (!State) {
                # MS-CHAP has no User-Password, so it's true.
                if (!User-Password )  {
                        # If !State and User-Password is null, then
goes to MS-CHAP:
                        update  {
                                &control:Auth-Type := MS-CHAP
                        }
                }

              else { reject }

      # Make sure it does not contain any other attributes except State.


     else {

            update {

             # IS THIS PART CORRECT ? I think so, as a new request is
issued by challage, so it would start over from top to buttom to walk
throught the entire process.

                &control:Auth-Type := MY_OWN_OTP_AUTH

               }
      }

}

authentication {

      Auth-Type MS-CHAP {
               mschap
               if (ok) {
                       update reply {
                               # Create a random State attribute:
                               State := "%{randstr:XXXXXXXXXXXXX}"
                               Reply-Message := "Please type your OTP:"
                       }
                       # Return Access-Challenge, goes to the 2nd auth.

                       # IS IT the correct way to raise a challange?
                       challenge

}

 Please help me to take a look at  configuration above, two questions:

1. Is else part correct?  which will use my own python auth module
2. Is it correct to raise a challenge using 'challenge' filter of
FreeRADIUS?

Thanks again.


On Mon, Nov 26, 2018 at 8:10 PM Alan DeKok <[hidden email]>
wrote:

> On Nov 26, 2018, at 2:42 AM, luckydog xf <[hidden email]> wrote:
> >   Our user is in AD and VPN will do an MSCHAP authentication first and
> > filter property of  User-Name from access request,  then call an
> > access-challenge to verify against  the other module whose logic is as
> > simple as starting a http request via http://XXX/check/username=
> > <http://xxx/check/username=><USER-NAME>&OTP=<xxxxxx>, if return 200,
> it's
> > ok.
>
>   That's really just more authorization.
>
> >   Basically, I want to auth a single login against two modules, only both
> > of them are successful, the auth could be deemed as OK.
>
>    That's possible, subject to certain caveats.
>
> > # ### authentication #####
> > authentication {
> >       Auth-Type MS-CHAP {
> >                mschap
> >                if (ok) {
> >                        update reply {
> >                                # Create a random State attribute:
> >                                State := "%{randstr:XXXXXXXXXXXXX}"
> >                                Reply-Message := "Please type your OTP:"
> >                        }
> >                        # Return Access-Challenge, goes to the 2nd auth.
> >                        challenge
>
>   That's good, but it likely won't work due to the NAS.  Doing OTP like
> that requires support from the NAS.  Does the NAS support doing MS-CHAP and
> then receiving an Access-Challenge?
>
>   If it does, then your next step is to write down what you want to
> happen, like this:
>
> 1) packet 1 contains MS-CHAP
> 2) it authenticates agains MS-CHAP
> 3) if MS-CHAP is successful, it returns a State, challenge, and reply
> message
> 4) when the next packet comes in with a state attribute, authenticate the
> OTP
>
>   Note that the packet in step 4 *should not* contain any MS-CHAP
> attributes.  It should just contain the response to the OTP.
>
>   So your freeradius configuration is:
>
> 1) run MS-CHAP like normal
> 2) do state / reply-message / challenge in "Auth-Type MS-CHAP"
>
>   As a *separate* item:
>
> 3) if packet contains State
> 4) do OTP verification
>
>   The only thing tying the two packets together is the State attribute.
> They are otherwise completely independent.
>
>   Alan DeKok.
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html