[RADIATOR] TOTP authentication with Oracle
Denis PAVANI
d.pavani at cineca.it
Tue Jul 31 08:54:45 UTC 2018
Hello Hugh,
it seems better (no crashes) with versione 4.21, but still not working
Library version is
ii libdbi-perl 1.631-3+b1
libdbd-oracle-perl-11.2.0.4 1.74-2
I attach the configuration file, where there is an option to
authenticate in LDAP (which works) or TOTP.
I plan to combine this, but after simple OTP authentication is working.
I launch:
radpwtst -s 127.0.0.1 -secret FakeKey -auth_port 1812 -acct_port 1813
-nas_ip_address 1.1.4.6 -user d.pavani at cineca.it -password '123456'
And in the log file we see:
Tue Jul 31 10:29:24 2018: DEBUG: Handling request with Handler
'NAS-IP-Address= /1.1.4.6/', Identifier ''
Tue Jul 31 10:29:24 2018: DEBUG: Deleting session for
d.pavani at cineca.it, 1.1.4.6, 1234
Tue Jul 31 10:29:24 2018: DEBUG: Connecting to 'DBI:Oracle:db105.dbc
Connection id: 0-00000'
Tue Jul 31 10:29:25 2018: DEBUG: do query to 'DBI:Oracle:db105.dbc
Connection id: 0-00000': 'delete from RADONLINE where
NASIDENTIFIER='1.1.4.6' a
nd NASPORT=01234':
Tue Jul 31 10:29:25 2018: DEBUG: Handling with Radius::AuthLDAP2:
Tue Jul 31 10:29:25 2018: INFO: Connecting to ldap.cineca.it:389
Tue Jul 31 10:29:25 2018: INFO: Connected to ldap.cineca.it:389
Tue Jul 31 10:29:25 2018: INFO: Attempting to bind to LDAP server
ldap.cineca.it:389
Tue Jul 31 10:29:25 2018: DEBUG: LDAP got result with filter
(&(mail=d.pavani at cineca.it)(vpnactive=1)(mmactive=1)) for DN
mail=d.pavani at cineca.it,emplo
yeeNumber=removed,ou=people,o=cineca,c=it
Tue Jul 31 10:29:25 2018: DEBUG: LDAP got vpnGroup: DSET
Tue Jul 31 10:29:25 2018: DEBUG: LDAP got userPassword: removed
Tue Jul 31 10:29:25 2018: DEBUG: Radius::AuthLDAP2 looks for match with
d.pavani at cineca.it [d.pavani at cineca.it]
Tue Jul 31 10:29:25 2018: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted
password: d.pavani at cineca.it [d.pavani at cineca.it]
Tue Jul 31 10:29:25 2018: DEBUG: AuthBy LDAP2 result: REJECT, Bad
Encrypted password
Tue Jul 31 10:29:25 2018: DEBUG: Handling with Radius::AuthSQLTOTP:
Tue Jul 31 10:29:25 2018: DEBUG: Radius::AuthSQLTOTP looks for match
with d.pavani at cineca.it [d.pavani at cineca.it]
Tue Jul 31 10:29:25 2018: DEBUG: Query to 'DBI:Oracle:db105.dbc
Connection id: 0-00000': 'select secret, active, pin, digits,
bad_logins, accessed, las
t_timestep, algorithm, timestep, timestep_origin from totpkeys where
username='d.pavani at cineca.it'':
Tue Jul 31 10:29:25 2018: DEBUG: do query to 'DBI:Oracle:db105.dbc
Connection id: 0-00000': 'update totpkeys set accessed=sysdate,
bad_logins=12, last_
timestep=0 where username='d.pavani at cineca.it''':
Tue Jul 31 10:29:25 2018: ERR: do failed for 'update totpkeys set
accessed=sysdate, bad_logins=12, last_timestep=0 where
username='d.pavani at cineca.it''
': ORA-01756: quoted string not properly terminated (DBD ERROR:
OCIStmtPrepare)
Tue Jul 31 10:29:25 2018: DEBUG: Connecting to 'DBI:Oracle:db105.dbc
Connection id: 0-00000'
Tue Jul 31 10:29:25 2018: DEBUG: do query to 'DBI:Oracle:db105.dbc
Connection id: 0-00000': 'update totpkeys set accessed=sysdate,
bad_logins=12, last_
timestep=0 where username='d.pavani at cineca.it''':
Tue Jul 31 10:29:25 2018: ERR: do failed for 'update totpkeys set
accessed=sysdate, bad_logins=12, last_timestep=0 where
username='d.pavani at cineca.it''
': ORA-01756: quoted string not properly terminated (DBD ERROR:
OCIStmtPrepare)
Tue Jul 31 10:29:25 2018: DEBUG: Radius::AuthSQLTOTP IGNORE: Database
update failed: d.pavani at cineca.it [d.pavani at cineca.it]
Tue Jul 31 10:29:25 2018: DEBUG: AuthBy SQLTOTP result: IGNORE, Database
update failed
Tue Jul 31 10:29:25 2018: DEBUG: Access ignored for d.pavani at cineca.it:
Database update failed
Tue Jul 31 10:29:29 2018: DEBUG: Packet dump:
then we see a successful accounting.
Thank you in advance and best regards.
Il 31/07/2018 08:15, Hugh Irvine ha scritto:
> Hello Denis -
>
> The first thing to do is upgrade to the latest Radiator 4.21 and test again to verify that there is still a problem.
>
> After that, we need to see a copy of your configuration file together with a complete trace 4 debug showing what is happening.
>
> It would also be useful to know what versions of PERL modules you are using for DBI, DBD-Oracle, etc.
>
> regards
>
> Hugh
>
>
>> On 31 Jul 2018, at 00:43, Denis PAVANI <d.pavani at cineca.it> wrote:
>>
>> Hello,
>>
>> I am trying to setup totp authentication using google authenticator.
>>
>> We use Oracle as a backend DB, which is perfectly working for accounting. When using totp, I got errors, an accounting failure and then radiator crashes (test instance, Radiator 4.16)
>>
>> Last line in the log is
>>
>> Mon Jul 30 15:33:26 2018: DEBUG: Query to 'DBI:Oracle:db105.dbc': 'select secret, active, pin, digits, bad_logins, accessed, last_timestep, timestep, algorithm, timestep_origin from totpkeys where username='user'':
>>
>> The same query done on commandline using sqlplus works.
>>
>> Could you share any suggestion?
>>
>> Best regards.
>>
>> --
>>
>> *******************************************************************
>> Ing. Denis Pavani
>>
>> DSET - Gruppo Tecnologie
>> CINECA
>> via Raffaello Sanzio 4 20090 SEGRATE MI
>> Tel: +39 02 26995.348
>> skype: d.pavani.at.cineca
>>
>> “In my experience there is no such thing as luck.” – Obi-Wan Kenobi
>>
>> *******************************************************************
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at lists.open.com.au
>> http://lists.open.com.au/mailman/listinfo/radiator
>
> --
>
> Hugh Irvine
> hugh at open.com.au
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER, SIM, etc.
> Full source on Unix, Linux, Windows, macOS, Solaris, VMS, NetWare etc.
>
--
*******************************************************************
Ing. Denis Pavani
DSET - Gruppo Tecnologie
CINECA
via Raffaello Sanzio 4 20090 SEGRATE MI
Tel: +39 02 26995.348
skype: d.pavani.at.cineca
“In my experience there is no such thing as luck.” – Obi-Wan Kenobi
*******************************************************************
-------------- next part --------------
LogDir /var/log/radius
DbDir /etc/radiator
LogFile %L/radius.log
Trace 5
AuthPort 1812
AcctPort 1813
DictionaryFile /etc/radiator/dictionary
<Client DEFAULT>
Secret secret
DupInterval 0
</Client>
<SessionDatabase SQL>
DBSource DBI:Oracle:db105.dbc
DBUsername noc
DBAuth password
</SessionDatabase>
<Handler Acct-Status-Type=/(Stop|Start)/>
<AuthBy SQL>
DBSource DBI:Oracle:db105.dbc
DBUsername noc
DBAuth password
# You may want to tailor these for your ACCOUNTING table
# You can add your own columns to store whatever you like
AccountingTable ACCOUNTING%Y
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,formatted-date,to_date('%e %m %Y %H:%M','DD MM YYYY hh24:mi')
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,Called-Station-Id
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
# You can arrange to log accounting to a file if the
# SQL insert fails with AcctFailedLogFileName
# That way you could recover from a broken SQL
# server
AcctFailedLogFileName %L/missedaccounting
</AuthBy>
</Handler>
# VPN anyconnect
<Handler NAS-IP-Address= /1.1.4.6/>
AuthByPolicy ContinueWhileReject
<AuthBy LDAP2>
NoDefault
Version 3
Host ldap.cineca.it
AuthDN cn=radius,ou=system-user,o=cineca,c=it
AuthPassword RadiatoreNonTermosifone
BaseDN o=CINECA,c=IT
#ServerChecksPassword
UsernameAttr mail
EncryptedPasswordAttr userPassword
SearchFilter (&(mail=%n)(vpnactive=1)(mmactive=1))
AuthAttrDef vpngroup,Class,reply
#AuthAttrDef departmentnumber,pool,request
# AddToReply cisco-avpair="ipsec:addr-pool=%{pool}",cisco-avpair="ipsec:dns-servers=130.186.1.53 130.186.84.244"
</AuthBy>
# Per debugging e prove
#<AuthBy FILE>
# Filename /etc/radiator/users.vpn
# </AuthBy>
<AuthBy SQLTOTP>
# Authenticate access to the TOTP token database.
# These need to match the values used when creating the TOTP token database
DBSource DBI:Oracle:db105.dbc
DBUsername noc
DBAuth password
AuthSelect select secret, active, pin, digits, bad_logins, accessed, last_timestep, algorithm, timestep, timestep_origin from totpkeys where username=%0
# UpdateQuery is an SQL query that updates the TOTP data in the SQL database
# After a successful authentication
# It will be passed the
# bad login count in %0
# the username in %1
# the last_timestep in %2
# The default works with the sample database schema provided
# in goodies/totp.sql
UpdateQuery update totpkeys set accessed=sysdate, bad_logins=%0, last_timestep=%2 where username=%1'
# If Require2Factor is set, then the user must provide their static password
# as a prefix to their TOTP one-time-password. The correct static password
# is retrieved from 4th field returned by AuthSelect.
# If this flag is not set, but the user provides a static password prefix,
# then the static password will be checked anyway
#Require2Factor 1
# DefaultDigits specifies the number of TOTP digits to use if the user record
# does not define digits. Defaults to 6.
DefaultDigits 6
# MaxBadLogins specifies how many consecutive bad PINs or bad TOTP codes
# will be tolerated in the last BadLoginWindow seconds. If more than
# MaxBadLogins bad authentication attempts (according to field 5
# from AuthSelect occurs and if the last one is
# within the last BadLoginWindow seconds (according to field 6
# from AuthSelect), the authentication attempt
# will be rejected. The user must wait at least BadLoginWindow
# seconds before attempting to authenticate again.
# MaxBadLogins defaults to 10.
# BadLoginWindow defaults to 10 seconds.
# MaxBadLogins 10
# BadLoginWindow 10
# DelayWindow is the maximum number of timeslots time difference that can be
# permitted between the client and server. Defaults to 1
# (the value recommended by the TOTP specification).
# DelayWindow 1
# TimeStep is the size of the time step in seconds. Defaults to 30 seconds
# (the value recommended by the TOTP specification).
# TimeStep 30
# TimeStepOrigin the Unix epoch time of the first time step. Defaults to 0 seconds
# (Jan 1, 1970) the value recommended by the TOTP specification).
# TimeStepOrigin 0
# You can also support EAP-OTP and/or EAP-GTC, besides PAP
EAPType OTP GTC
#EAPType GTC OTP
</AuthBy>
</Handler>
More information about the radiator
mailing list