[RADIATOR] two factor authentication

Alexander Hartmaier alexander.hartmaier at t-systems.at
Wed Jan 18 04:16:52 CST 2012 

Hi Heikki and Mike,
I'm already using AuthBy OTP with my own ChallengeHook.
I've read RFC2865 yesterday but missed the State attribute, thanks for
the great pointer!

Thats the working config I came up with:

<AuthLog FILE>
     Identifier tsa-otp-client-vpn

     Filename %L/tsa-otp-client-vpn.authlog
     LogSuccess 1
     LogFailure 1
    # log the Handler Identifier to be able to distinguish between AD
and OTP auth failures
     SuccessFormat %l:%U:%{Request:Callback-Number}:%{Handler:Identifier}:OK
     FailureFormat
%l:%U:%{Request:Callback-Number}:%{Handler:Identifier}:FAIL
</AuthLog>

<Handler Callback-Number=/.+/>
     Identifier otp_sms_challenge

     AuthByPolicy    ContinueUntilChallenge

     #StripFromRequest Password

     # clear the password to force AuthOTP to always generate a OTP
     PreAuthHook sub { \
         my $p = ${$_[0]}; \
         my $rp = ${$_[1]}; \
         $p->{DecodedPassword} = ''; \
     }
     AuthBy otp_sms
     #AddToReply State="otp-challenge"
</Handler>

<Handler Client-Identifier="tsa-tc-flod|localhost"
Request-Type="Access-Request" State="otp-challenge">
     Identifier tsa-otp-client-vpn-otp

     AuthLog tsa-otp-client-vpn
     # Show any rejection reason to the end user
     RejectHasReason

     AuthBy otp_sms
</Handler>

<Handler Client-Identifier="tsa-tc-flod|localhost"
Request-Type="Access-Request">
     Identifier tsa-otp-client-vpn-ad

     AuthByPolicy    ContinueUntilChallenge

     # Show any rejection reason to the end user
     RejectHasReason

     AuthLog tsa-otp-client-vpn

<AuthBy LDAP2>
         # Save time by never looking for a default
         NoDefault

         Host ip1 ip2 ip3
         Port 389
         Version 3

         # request timeout in seconds
         Timeout 2

         # don't try to reach the ldap for this amount of seconds after
failure
         FailureBackoffTime 0

         UsernameAttr samaccountname
         # don't check the password, just for phone number lookup
         #PasswordAttr
         ServerChecksPassword

         # store the users mobile phone number in the Callback-Number
radius attribute
         AuthAttrDef mobile,Callback-Number,request
</AuthBy>

<AuthBy HANDLER>
         HandlerId otp_sms_challenge
</AuthBy>
</Handler>

I had to use AuthBy HANDLER for forcing AuthBy OTP to generate the token
by using PreAuthHook to delete the DecodedPassword.
As you see I've tried StripFromRequest Password which didn't work.
I was looking for a way to clear the password between the AuthBy LDAP
and AuthBy OTP.
Is there a way to do this?

Cheers, Alex

Am 2012-01-17 21:12, schrieb Mike McCauley:
> Hi Heikki,
>
> I wonder if he should also look at  AuthBy OTP?
> Cheers.
>
> On Tuesday, January 17, 2012 09:39:27 PM Heikki Vatiainen wrote:
>> On 01/17/2012 08:13 PM, Alexander Hartmaier wrote:
>>
>> Hello Alexander,
>>
>>> I'm trying to implement a two factor auth where the user has to enter
>>> his Active Directory credentials.
>>> Radiator checks those against the AD, if successful creates an OTP and
>>> sends that to the mobile phone number fetched from the AD.
>> Add State attribute to the challenge at this point.
>>
>>> A challenge is returned to the NAS.
>> See this for how NAS should react to challenge.
>> http://tools.ietf.org/html/rfc2865#section-5.24
>>
>>> My problem is that I can't distinguish the initial request and the
>>> challenge response which should skip the AD auth because this time the
>>> password field holds the OTP response.
>> State should be echoed back in the challenge response unless the NAS is
>> badly broken.
>>
>>> By looking at the radius packets with tcpdump I couldn't find a
>>> difference in the radius attributes sent that let me write two different
>>> handlers.
>>>
>>> Ideas?
>> Try something like this. Note that I have used a fixed value for
>> challenge, but you could make it generic to protect against replay
>> attacks or some other information that might be useful for selecting the
>> correct handler for verifying the challenge.
>>
>> <Handler attribute=value,...,State=whatever>
>>     # Check challenge here
>> </Handler>
>>
>> <Handler attribute=value,...>
>>     # Generate OTP here and send challenge
>>     <AuthBy ...>
>>        # AD auth happens here
>>        AddToReply State=whatever
>>     </AuthBy>
>> </Handler>
>>
>>
>>
>> Please let us know how it goes.
>> Heikki


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*

More information about the radiator mailing list