[RADIATOR] Authby LDAP and Authby OTP

Heikki Vatiainen hvn at open.com.au
Tue Dec 22 08:31:41 CST 2015 

On 12/21/2015 05:23 AM, Joe Honnold wrote:

> I am working on a project for sending users OTP’s to gain access.  I
> would like to have users authenticate to AD and once accepted use Authby
> OTP to generate a token and send it to the user via SMS.   The user
> would then enter the OTP and gain access.
> I have done a bit of researching and found a config that I am using as a
> base.  http://www.van-sluis.nl/?p=345

There is one major difference between the example config you were using
and what you want to achieve: note that the example AuthBy LDAP2 had this:

  # We don't do authentication. Authentication is done by OTP.
  NoCheckPassword

> The Authby LDAP2 in my config is working as expected but the Authby OTP
> is not.  It is a bit confusing at this point as I am unsure how to debug
> the Authby OTP failure to find the exact issue.

I'd say the problem is that AuthBy OTP sees a password and thinks this
is the OTP.

> My expectation is that if the Authby OTP was working right a
> one-password would be generated and the sent to the users mobile number
> found in AD.
> 
> Any ideas where to start with this one?

I think the authentication flow needs to be changed with something like
this:

<AuthBy LDAP2>
  # Add this, otherwise unchanged
  PostAuthHook sub {my $p = ${$_[0]}; $p->{DecodedPassword} = '';}
</AuthBy>

<AuthBy OTP>
   # Add this, otherwise unchanged
   AddToReply State=otp-check
</AuthBy>

# New Handler goes here: Verify the OTP
<Handler State=otp-check>
   AuthBy SSLVPN_OTP
</Handler>

<Handler Client-Identifier = juni-sslvpn>
 # Unchanged
</Handler>


The idea is this:
1) Request first hits the current Handler
2) Once AuthBy LDAP2 is done, it clears the password
3) AuthBy OTP sees the empty passwords and generates the OTP
4) AuthBy OTP adds State in the Access-Challenge
5) The Access-Request with OTP will now contain 'State=otp-check'
request attribute
6) The new Handler processes the request and does just the OTP verify

Please note the above is untested, but I'd say it should match how the
two phase authentication should go.

Please let us know if the above helps,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list