freeradius proxying directions..

classic Classic list List threaded Threaded
5 messages Options
| Threaded
Open this post in threaded view
|

freeradius proxying directions..

Tom Mustaki
Dear Freeradius community professional.

i am a noob in the freeradius business and really need some basic guidance.
i was following an article:
https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy

and it worked fine.

now my goal is to support push notification on mobile devices.
(the freeradius should proxy the request without waiting for OTP input from
the authenticating user.)
instead the freeradius should, after successful LDAP bind,  send username +
p for password, to the OTP radius. that will trigger a push notification on
the mobile device.

could anyone point me in the right direction on where and what to change?



Thank you very much and keep up the good work.
Cheers,
Tom
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: freeradius proxying directions..

Alan DeKok-2

On Jan 6, 2019, at 10:16 AM, Tom Mustaki <[hidden email]> wrote:
> i am a noob in the freeradius business and really need some basic guidance.
> i was following an article:
> https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy
>
> and it worked fine.

  That's good.

> now my goal is to support push notification on mobile devices.
> (the freeradius should proxy the request without waiting for OTP input from
> the authenticating user.)
> instead the freeradius should, after successful LDAP bind,  send username +
> p for password, to the OTP radius. that will trigger a push notification on
> the mobile device.
>
> could anyone point me in the right direction on where and what to change?

  The server can't do proxying *and* local authentication at the same time.  But with a bit of minor configuration, it should work.

  The simple solution is to *not* set Auth-Type = LDAP.  You should be able to do something like:

authorize {
        ...
        ldap.authenticate # run LDAP bind
        if (ok) {
                update control {
                        Proxy-To-Realm := "realm"
                }
        }
        ...
}

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: freeradius proxying directions..

Tom Mustaki
Alan, Thank you for the information. sadly i couldn't accomplish it.

i have played a little with the configuration and got it partially working.
i noticed a bug, in which, even if radius server is down, access is
granted..
can someone identify the bug for me and explain how to modify the script to
correct it?
authorize {
        if (!State) {
                if (&User-Password) {
                        # If !State and User-Password (PAP), then force
LDAP:
                        update control {
                                Ldap-UserDN := "%{User-Name}@domain.com"
                                Auth-Type := LDAP
                        }
                }
                else {
                        reject
                }
        }
        else {
                # If State, then proxy request:
                update control {
                        Proxy-To-Realm := "proxy-test"
                }
        }
}

authenticate {
        Auth-Type LDAP {
                # Attempt authentication with a direct LDAP bind:
                ldap
                if (ok) {
update request {
User-Password := p
}
update control {
                       Proxy-To-Realm := "proxy-test"
                }
accept
                }
        }
}

pre-proxy {
        # Enable pre-proxy to filter State attribute from proxied requests:
        attr_filter.pre-proxy
}


}




On Mon, Jan 7, 2019 at 3:39 PM Alan DeKok <[hidden email]> wrote:

>
> On Jan 6, 2019, at 10:16 AM, Tom Mustaki <[hidden email]> wrote:
> > i am a noob in the freeradius business and really need some basic
> guidance.
> > i was following an article:
> > https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy
> >
> > and it worked fine.
>
>   That's good.
>
> > now my goal is to support push notification on mobile devices.
> > (the freeradius should proxy the request without waiting for OTP input
> from
> > the authenticating user.)
> > instead the freeradius should, after successful LDAP bind,  send
> username +
> > p for password, to the OTP radius. that will trigger a push notification
> on
> > the mobile device.
> >
> > could anyone point me in the right direction on where and what to change?
>
>   The server can't do proxying *and* local authentication at the same
> time.  But with a bit of minor configuration, it should work.
>
>   The simple solution is to *not* set Auth-Type = LDAP.  You should be
> able to do something like:
>
> authorize {
>         ...
>         ldap.authenticate       # run LDAP bind
>         if (ok) {
>                 update control {
>                         Proxy-To-Realm := "realm"
>                 }
>         }
>         ...
> }
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: freeradius proxying directions..

Alan DeKok-2
On Jan 9, 2019, at 9:51 AM, Tom Mustaki <[hidden email]> wrote:
>
> Alan, Thank you for the information. sadly i couldn't accomplish it.

  What does that mean?  What error did you get when you tried my suggestion?

  Saying "stuff didn't work" is not overly helpful.

> i have played a little with the configuration and got it partially working.
> i noticed a bug, in which, even if radius server is down, access is
> granted..

  Because you told it to do that.

> can someone identify the bug for me and explain how to modify the script to
> correct it?
> ...
> authenticate {
>        Auth-Type LDAP {
>                # Attempt authentication with a direct LDAP bind:
>                ldap
>                if (ok) {
> update request {
> User-Password := p
> }
> update control {
>                       Proxy-To-Realm := "proxy-test"
>                }

  That won't work.  The server EITHER runs the "authenticate" section, OR it proxies.  It can't do both.

> accept

  That's an unconditional "accept the user".  Which is why it unconditionally accepts the user.

  My suggestion should work:

>> authorize {
>>        ...
>>        ldap.authenticate       # run LDAP bind
>>        if (ok) {
>>                update control {
>>                        Proxy-To-Realm := "realm"
>>                }
>>        }
>>        ...
>> }

  That will do "bind as user" to authenticate the user, BUT do it in the "authorize" phase.  That way, the "authenticate" phase then sees the Proxy-To-Realm, and proxies the packet, instead of doing local authentication.

  If that doesn't work, say WHY it doesn't work.  Show the debug output.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: freeradius proxying directions..

Tom Mustaki
Alan,
it worked just like you said it would.
You are the man!  Thank you.

my config :

authorize {
update control {
                Ldap-UserDN := "%{User-Name}@domain.com"
                        }
        ldap.authenticate        # run user authentication by LDAP bind

        if (ok) {
update request { # Trigger push notification by sending 'p' for password
value
User-Password := p }
                update control { # send to SafeNet Authentication Service
                        Proxy-To-Realm := "proxy-test"
                }
        }
}

authenticate {

}

pre-proxy {
        # Enable pre-proxy to filter State attribute from proxied requests:
        attr_filter.pre-proxy
}


On Wed, Jan 9, 2019 at 5:55 PM Alan DeKok <[hidden email]> wrote:

> On Jan 9, 2019, at 9:51 AM, Tom Mustaki <[hidden email]> wrote:
> >
> > Alan, Thank you for the information. sadly i couldn't accomplish it.
>
>   What does that mean?  What error did you get when you tried my
> suggestion?
>
>   Saying "stuff didn't work" is not overly helpful.
>
> > i have played a little with the configuration and got it partially
> working.
> > i noticed a bug, in which, even if radius server is down, access is
> > granted..
>
>   Because you told it to do that.
>
> > can someone identify the bug for me and explain how to modify the script
> to
> > correct it?
> > ...
> > authenticate {
> >        Auth-Type LDAP {
> >                # Attempt authentication with a direct LDAP bind:
> >                ldap
> >                if (ok) {
> > update request {
> > User-Password := p
> > }
> > update control {
> >                       Proxy-To-Realm := "proxy-test"
> >                }
>
>   That won't work.  The server EITHER runs the "authenticate" section, OR
> it proxies.  It can't do both.
>
> > accept
>
>   That's an unconditional "accept the user".  Which is why it
> unconditionally accepts the user.
>
>   My suggestion should work:
>
> >> authorize {
> >>        ...
> >>        ldap.authenticate       # run LDAP bind
> >>        if (ok) {
> >>                update control {
> >>                        Proxy-To-Realm := "realm"
> >>                }
> >>        }
> >>        ...
> >> }
>
>   That will do "bind as user" to authenticate the user, BUT do it in the
> "authorize" phase.  That way, the "authenticate" phase then sees the
> Proxy-To-Realm, and proxies the packet, instead of doing local
> authentication.
>
>   If that doesn't work, say WHY it doesn't work.  Show the debug output.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html