Use 2 modules to auth together.

classic Classic list List threaded Threaded
1 message Options
| Threaded
Open this post in threaded view
|

Use 2 modules to auth together.

luckydog xf
Probably I'm wrong, MSCHAP won't work no matter what kind of password
encyption used if LDAP is as backend. MSCHAP is using ntlm_auth and
winbind which is MS related, or its equivalent, Samba.


On Wed, Nov 28, 2018 at 8:56 AM luckydog xf <luckydogxf at gmail.com
<http://lists.freeradius.org/mailman/listinfo/freeradius-users>>
wrote:

> One more thing to add.

> 1. MS AD as backend, you could choose MSchap variant, like EAP-mschapv2,
>  I'm NOT sure.
> 2. LDAP as backend, you could use MSCHAP too, as long as you add samba
> schema and add sambaSamAccount objectclass( maybe this one) in your LDAP
> entry,  then your user's password could stored as NThash encrypted(This is
>  how MS AD user's password is encrypted). The default  is SSHA512.

On Wed, Nov 28, 2018 at 8:56 AM luckydog xf <luckydogxf at gmail.com
<http://lists.freeradius.org/mailman/listinfo/freeradius-users>>
wrote:

>* Let me complete this topic. Feel free to correct me if I'm wrong. LOL
*>>* In short,
*>>* 1. MS AD != OTP and MS AD != PAP.
*>>* 2. MS AD = MSCHAP( and MSCHAP v2, not sure CHAP)
*>>* 3. LDAP = PAP = OTP
*>>* Long explaination:
*>>* 1. It won't be User-Password as MS-CHAP2-Response Attribute  in
Access-Request packet has the password you input encoded and
encrypted. In other words, MSCHAP does have password but in another
form which FreeRadius cannot and won't check it either, and it's
exepcted.
*>>* That's the way how MSCHAP works,
*>>* see https://tools.ietf.org/html/rfc2548
<https://tools.ietf.org/html/rfc2548> (page 14-15)
*>>* NO user-password, no OTP, b/c there is no way to know your
orginal OTP, it is in MS-CHAP2-Responsed.
*>>* 2. user-password in AD schema is write-only, you cannot use
Freeradius LDAP module to revitive it, and any other LDAPclient, like
LDAPadmins. So this means NO known good password, which also means NO
PAP.
*>>* 3. MS AD is mschap only, as far as I know. Guess it's challeng
and response change everytine, so it's security, just a guess.
*>>* 4. LDAP means PAP and OTP, as User-Password is available.
*>>* That's all.
*>>* >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
*>>>* Hi, here is my access-request from radiusd -fX
*>>* Only an extra State is added comparing to the 1st auth.
*>>* # Access-Challenge
*>* Ready to process requests
*>* (6) Received Access-Request Id 13 from 172.30.240.130:7460
<http://172.30.240.130:7460> to172.16.237.52:1812 length 205
*>* (6)   NAS-Identifier = "Artisan_FW"
*>* (6)   State = 0x654e6c7472756d474c576c6a61584b37
*>* (6)   User-Name = "someone"
*>* (6)   MS-CHAP2-Response =
*>* 0x0f003132333435363638393035398846f8ca00000000000000000ac4b98d3afb9b42a0e1a1def464b78e5f6b13033d6a6e7c
*>* (6)   MS-CHAP-Challenge = 0x680d6e49baa9e6f4b4f622042f0917f6
*>* (6)   NAS-IP-Address = 172.30.240.130
*>* (6)   NAS-Port-Type = Virtual
*>* (6)   Called-Station-Id = "172.30.240.130"
*>* (6)   Acct-Session-Id = "033ac507"
*>* (6)   Connect-Info = "admin-login"
*>* (6)   Fortinet-Vdom-Name = "root"
*>* (6) session-state: No cached attributes
*>* (6) # Executing section authorize from file /etc/raddb/sites-enabled/default
*>>* As you can see there is NO User-Password attribute, which is OTP. It
*>* seems that it's caused by mschap authentication, there is no such
*>* attribute in mschap.
*>>* Is there any way to input User-Password( in other words, OTP)? or my
*>* own auth method would fail to auth as there is no OTP.
*>>>* Thanks.
*>>* On Nov 26, 2018, at 8:42 AM, luckydog xf <luckydogxf at gmail.com
<http://gmail.com>
*>* <http://lists.freeradius.org/mailman/listinfo/freeradius-users
<http://lists.freeradius.org/mailman/listinfo/freeradius-users>>>
*>* wrote:
*>>* Find a challenge-support Device and test it out. Let me answer it.
*>>* 1. Not every NAS supports Access-Challenge, they may just ignore it
*>* and treat it as access-reject. According to my test.
*>>* 2. my way of raise challeng is correct, it's built-in way of FreeRADIUS.
*>>* 3. else part seesm correct, too, though I haven't hanle my own auth
*>* method, it's just a fake one.
*>>* Thank Alan again.
*>>>* On Nov 26, 2018, at 12:42 AM, luckydog xf <luckydogxf at
gmail.com <http://gmail.com>
*>* <http://lists.freeradius.org/mailman/listinfo/freeradius-users
<http://lists.freeradius.org/mailman/listinfo/freeradius-users>>>
*>* wrote:
*>>>* Thank, Alan, you enlighten me.
*>>* Turns out  NAS( my VPN) does not support Access-Challenge.  Googled and
*>* found  that Challenge seems to be a speical access-request  packet with the
*>* Code field set to 11. So can I make the conclusion that  it would send an
*>* access-quest again?  in other words, start a new authentication process
*>* like another normal request with an exception that State attribute exists.
*>>* Let me suppose my VPN supports Access-Challenge, so my configuation is
*>* something like:
*>* -------------------------------
*>>* authorize {
*>*       # The first auth does not have any State attribute.
*>*       if (!State) {
*>*                 # MS-CHAP has no User-Password, so it's true.
*>*                 if (!User-Password )  {
*>*                         # If !State and User-Password is null, then
*>* goes to MS-CHAP:
*>*                         update  {
*>*                                 &control:Auth-Type := MS-CHAP
*>*                         }
*>*                 }
*>>*               else { reject }
*>>*       # Make sure it does not contain any other attributes except State.
*>>>*      else {
*>>*             update {
*>>*              # IS THIS PART CORRECT ? I think so, as a new request is
*>* issued by challage, so it would start over from top to buttom to walk
*>* throught the entire process.
*>>*                 &control:Auth-Type := MY_OWN_OTP_AUTH
*>>*                }
*>*       }
*>>* }
*>>* authentication {
*>>*       Auth-Type MS-CHAP {
*>*                mschap
*>*                if (ok) {
*>*                        update reply {
*>*                                # Create a random State attribute:
*>*                                State := "%{randstr:XXXXXXXXXXXXX}"
*>*                                Reply-Message := "Please type your OTP:"
*>*                        }
*>*                        # Return Access-Challenge, goes to the 2nd auth.
*>>*                        # IS IT the correct way to raise a challange?
*>*                        challenge
*>>* }
*>>*  Please help me to take a look at  configuration above, two questions:
*>>* 1. Is else part correct?  which will use my own python auth module
*>* 2. Is it correct to raise a challenge using 'challenge' filter of
*>* FreeRADIUS?
*>>* Thanks again.
*>>>* On Mon, Nov 26, 2018 at 8:10 PM Alan DeKok <aland
atdeployingradius.com <http://atdeployingradius.com>
*>* <http://lists.freeradius.org/mailman/listinfo/freeradius-users
<http://lists.freeradius.org/mailman/listinfo/freeradius-users>>>
*>* wrote:
*>>* >*** On Nov 26, 2018, at 2:42 AM, luckydog xf <luckydogxf at
gmail.com <http://gmail.com> <http://gmail.com <http://gmail.com/>>
<http://gmail.com <http://gmail.com/> <http://gmail.com/
<http://gmail.com/>>>
<http://lists.freeradius.org/mailman/listinfo/freeradius-users
<http://lists.freeradius.org/mailman/listinfo/freeradius-users>
<http://lists.freeradius.org/mailman/listinfo/freeradius-users
<http://lists.freeradius.org/mailman/listinfo/freeradius-users>>
<http://lists.freeradius.org/mailman/listinfo/freeradius-users
<http://lists.freeradius.org/mailman/listinfo/freeradius-users>
<http://lists.freeradius.org/mailman/listinfo/freeradius-users
<http://lists.freeradius.org/mailman/listinfo/freeradius-users>>>>>
wrote:
*>* ***>* >   Our user is in AD and VPN will do an MSCHAP
authentication first and
*>* *>* > filter property of  User-Name from access request,  then call an
*>* *>* > access-challenge to verify against  the other module whose logic is as
*>* *>* > simple as starting a http request via
http://XXX/check/username= <http://xxx/check/username=>
<http://xxx/check/username= <http://xxx/check/username=>>
*>* <http://xxx/check/username= <http://xxx/check/username=>>
*>* <http://xxx/check/username= <http://xxx/check/username=>>
*>* *>* > <http://xxx/check/username= <http://xxx/check/username=>
*>* <http://xxx/check/username=
<http://xxx/check/username=>>><USER-NAME>&OTP=<xxxxxx>, if return 200,
*>* *>* it's
*>* *>* > ok.
*>* *>>*   That's really just more authorization.
*>* *>>* >   Basically, I want to auth a single login against two
modules, only both
*>* *>* > of them are successful, the auth could be deemed as OK.
*>* *>>*    That's possible, subject to certain caveats.
*>* *>>* > # ### authentication #####
*>* *>* > authentication {
*>* *>* >       Auth-Type MS-CHAP {
*>* *>* >                mschap
*>* *>* >                if (ok) {
*>* *>* >                        update reply {
*>* *>* >                                # Create a random State attribute:
*>* *>* >                                State := "%{randstr:XXXXXXXXXXXXX}"
*>* *>* >                                Reply-Message := "Please type
your OTP:"
*>* *>* >                        }
*>* *>* >                        # Return Access-Challenge, goes to
the 2nd auth.
*>* *>* >                        challenge
*>* *>>*   That's good, but it likely won't work due to the NAS.  Doing OTP like
*>* *>* that requires support from the NAS.  Does the NAS support
doing MS-CHAP and
*>* *>* then receiving an Access-Challenge?
*>* *>>*   If it does, then your next step is to write down what you want to
*>* *>* happen, like this:
*>* *>>* 1) packet 1 contains MS-CHAP
*>* *>* 2) it authenticates agains MS-CHAP
*>* *>* 3) if MS-CHAP is successful, it returns a State, challenge, and reply
*>* *>* message
*>* *>* 4) when the next packet comes in with a state attribute,
authenticate the
*>* *>* OTP
*>* *>>*   Note that the packet in step 4 *should not* contain any MS-CHAP
*>* *>* attributes.  It should just contain the response to the OTP.
*>* *>>*   So your freeradius configuration is:
*>* *>>* 1) run MS-CHAP like normal
*>* *>* 2) do state / reply-message / challenge in "Auth-Type MS-CHAP"
*>* *>>*   As a *separate* item:
*>* *>>* 3) if packet contains State
*>* *>* 4) do OTP verification
*>* *>>*   The only thing tying the two packets together is the State attribute.
*>* *>* They are otherwise completely independent.
*>* *>>*   Alan DeKok.
*>* *>>>>* -
*>* *>* List info/subscribe/unsubscribe? See
*>* *>* http://www.freeradius.org/list/users.html
<http://www.freeradius.org/list/users.html>
*>* <http://www.freeradius.org/list/users.html
<http://www.freeradius.org/list/users.html>>*
*>>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html