[RADIATOR] Authby LDAP and Authby OTP

Joe Honnold Joe_Honnold at starkey.com
Sun Dec 20 21:23:10 CST 2015 

Good day.

I am working on a project for sending users OTP’s to gain access.  I would like to have users authenticate to AD and once accepted use Authby OTP to generate a token and send it to the user via SMS.   The user would then enter the OTP and gain access.
I have done a bit of researching and found a config that I am using as a base.  http://www.van-sluis.nl/?p=345
The Authby LDAP2 in my config is working as expected but the Authby OTP is not.  It is a bit confusing at this point as I am unsure how to debug the Authby OTP failure to find the exact issue.

My expectation is that if the Authby OTP was working right a one-password would be generated and the sent to the users mobile number found in AD.

Any ideas where to start with this one?

Cleaned radius.cfg file
========
# radius.cfg - Niels van Sluis, <niels at van-sluis.nl<mailto:niels at van-sluis.nl>>
#
# Example Radiator configuration file.
#
# * retrieve mobile number from Directory Server.
# * generate and send One-Time Password to mobile number.
# * authenticate One-Time Password.

LogDir      /var/log/radius
DbDir /etc/radiator
# User a lower trace level in production systems:
Trace 7

AuthPort    1812
AcctPort    1813

<Client 1.1.100.8>
        Secret REDACTED
        Identifier juni-sslvpn
</Client>

<AuthBy LDAP2>
# Radiator talks to Microsoft AD.
    # Try to find mobile number only.
Debug 255
Identifier SSLVPN_LDAP
NoDefault
    Host 1.1.50.80 1.1.50.82
Port 3268
BaseDN
AuthDN cn=SVC_REDACTED OU=REDACTED, DC=REDACTED, DC=REDACTED, DC=REDACTED
    AuthPassword REDACTED
Timeout 2
UsernameAttr sAMAccountName
PasswordAttr
ServerChecksPassword
HoldServerConnection
FailureBackoffTime 0
# Get attribute that contains the mobile number.
    AuthAttrDef MobileNumber

# We don't do authentication. Authentication is done by OTP.
    #NoCheckPassword

# Some code to put the mobile number into memory, so it can be used
     # by OTP.
     PostSearchHook sub {\
        use Radius::Context;\

        my $user = $_[1];\
        my $attr = ($_[4]->get('MobileNumber'))[0];\

        my $context = &Radius::Context::get("otp:$user", 120);\
        $context->{mobile_number} = $attr;\
      }
</AuthBy>

<AuthBy OTP>
# Authenticate based on One-Time Password sent to user by SMS.
     Identifier SSLVPN_OTP
EAPType One-Time-Password,Generic-Token
ChallengeHook sub {my ($self, $user, $p, $context) = @_;\
$context->{otp_password} = $self->generate_password();\
system('/etc/radiator/otp/sendsms.php', $user, $context->{mobile_number}, $context->{otp_password});\
return "Enter One-Time Password"; \
            }
</AuthBy>

<AuthBy GROUP>
     Identifier Check-LDAP-and-OTP
     AuthByPolicy ContinueWhileAccept
     AuthBy SSLVPN_LDAP
     AuthBy SSLVPN_OTP
</AuthBY>

<Handler Client-Identifier = juni-sslvpn>
     RejectHasReason
     AuthBy Check-LDAP-and-OTP
</Handler>
========

Cleaned log output
========
Sun Dec 20 20:55:03 2015: DEBUG: Packet dump:
*** Received from 1.1.100.8 port 48711 ....

Packet length = 60
01 f9 00 3c 44 f6 a0 c6 d9 45 84 6b 77 b0 3b bd
6f 7c a6 a6 01 0a 48 6f 6e 6e 6f 6c 64 4a 02 12
38 0e 00 f6 b2 17 6f 3b e0 62 22 b9 36 35 f7 bd
06 06 00 00 00 01 04 06 a7 64 64 08
Code:       Access-Request
Identifier: 249
Authentic:  D<246><160><198><217>E<132>kw<176>;<189>o|<166><166>
Attributes:
User-Name = "ADUSER"
User-Password = 8<14><0><246><178><23>o;<224>b"<185>65<247><189>
Service-Type = Login-User
NAS-IP-Address = 1.1.100.8

Sun Dec 20 20:55:03 2015: DEBUG: Handling request with Handler 'Client-Identifier = juni-sslvpn', Identifier ''
Sun Dec 20 20:55:03 2015: DEBUG:  Deleting session for ADUSER, 1.1.100.8,
Sun Dec 20 20:55:03 2015: DEBUG: Handling with Radius::AuthGROUP: Check-LDAP-and-OTP
Sun Dec 20 20:55:03 2015: DEBUG: Handling with Radius::AuthLDAP2: SSLVPN_LDAP
Sun Dec 20 20:55:03 2015: INFO: Connecting to 1.1.50.80:3268 1.1.50.82:3268
Sun Dec 20 20:55:03 2015: INFO: Connected to 1.1.50.80:3268
Sun Dec 20 20:55:03 2015: INFO: Attempting to bind to LDAP server 1.1.50.80:3268
Sun Dec 20 20:55:03 2015: DEBUG: LDAP got result for CN=AD User,OU=REDACTED,OU=REDACTED,DC=REDACTED,DC=REDACTED,DC=REDACTED
Sun Dec 20 20:55:03 2015: DEBUG: Radius::AuthLDAP2 looks for match with ADUSER [ADUSER]
Sun Dec 20 20:55:03 2015: DEBUG: Radius::AuthLDAP2 ACCEPT: : ADUSER [ADUSER]
Sun Dec 20 20:55:03 2015: DEBUG: Radius::AuthGROUP:Check-LDAP-and-OTP SSLVPN_LDAP result: ACCEPT,
Sun Dec 20 20:55:03 2015: DEBUG: Handling with Radius::AuthOTP: SSLVPN_OTP
Sun Dec 20 20:55:03 2015: DEBUG: Radius::AuthOTP looks for match with ADUSER [ADUSER]
Sun Dec 20 20:55:03 2015: DEBUG: Radius::AuthOTP REJECT: OTP Authentication failed: (): ADUSER [ADUSER]
Sun Dec 20 20:55:03 2015: DEBUG: Radius::AuthGROUP:Check-LDAP-and-OTP SSLVPN_OTP result: REJECT, OTP Authentication failed: ()
Sun Dec 20 20:55:03 2015: DEBUG: AuthBy GROUP result: REJECT, OTP Authentication failed: ()
Sun Dec 20 20:55:03 2015: INFO: Access rejected for ADUSER: OTP Authentication failed: ()
Sun Dec 20 20:55:03 2015: DEBUG: Packet dump:
*** Sending to 1.1.100.8 port 48711 ....

Packet length = 51
03 f9 00 33 67 f2 b5 1f 1c 13 63 fc 25 ff d3 79
a5 80 d7 c5 12 1f 4f 54 50 20 41 75 74 68 65 6e
74 69 63 61 74 69 6f 6e 20 66 61 69 6c 65 64 3a
20 28 29
Code:       Access-Reject
Identifier: 249
Authentic:  g<242><181><31><28><19>c<252>%<255><211>y<165><128><215><197>
Attributes:
Reply-Message = "OTP Authentication failed: ()"

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20151221/8fe36a79/attachment.html

More information about the radiator mailing list