[RADIATOR] Mangling the User-Password between AuthBy clauses

Hugh Irvine hugh at open.com.au
Tue Oct 2 05:54:06 UTC 2018


Hello Martin -

You will need to do something more like this:



<Handler>
        AuthByPolicy ContinueWhileAccept
        <AuthBy FILE>
                # The filename defaults to %D/users
                Filename %D/users
        </AuthBy>
        <AuthBy RADIUS>
                Host localhost
                Secret mysecret
                ForwardHook sub { my $p = $_[0]; my $fp = $_[1]; \
                       $p->{DecodedPassword} = "P"; }
        </AuthBy>
        # Log accounting to the detail file in LogDir
        AcctLogFileName %L/detail
</Handler>



You can’t just change the “User-Password”, you need to change “$p->{DecodedPassword}”.

hope that helps

regards

Hugh


> On 2 Oct 2018, at 01:37, Martin Burton <mvb at sanger.ac.uk> wrote:
> 
> Hi All,
> 
> I'm attempting to set up multi-factor authentication for a service here
> at Sanger using our LDAP for checking passwords and then proxying off to
> a Gemalto Safenet radius server to initiate a Push OTP to the user's mobile.
> 
> For this to work, I need to have the user's User-Password be their real
> password for the first check against LDAP, and then replace it with the
> single letter "P" for the subsequent proxied request to the Gemalto server.
> 
> The following works for the LDAP case:
> 
> <AuthBy LDAP2>
>                Identifier Sanger-LDAP
>                UseTLS
>                SSLVerify none
>                Host ***************
>                BaseDN ***************
>                UsernameAttr uid
>                PasswordAttr userPassword
>                ServerChecksPassword
> </AuthBy>
> 
> <Handler>
>        RewriteUsername s/^([^@]+).*/$1/
>        AuthBy Sanger-LDAP
> </Handler>
> 
> and the following works for the Gemalto Safenet case (i.e any
> User-Password gets rewritten to "P" to trigger a push to the user's phone)
> 
> <AuthBy RADIUS>
>                Identifier Safenet
>                NoForwardAccounting
>                RetryTimeout 60
>                Retries 1
> 
>                ForwardHook sub { my $p = $_[0]; my $fp = $_[1]; \
>                        $fp->change_attr('User-Password', "P"); }
> 
>                Secret **********
>                <Host **********>
>                        AuthPort 1812
>                </Host>
>                <Host **********>
>                        AuthPort 1812
>                </Host>
> </AuthBy>
> 
> <Handler>
>        RewriteUsername s/^([^@]+).*/$1/
>        AuthBy Safenet
> </Handler>
> 
> 
> However, if I try to combine those two with:
> 
> <Handler>
>        RewriteUsername s/^([^@]+).*/$1/
>        AuthByPolicy ContinueUntilReject
>        AuthBy Sanger-LDAP
>        AuthBy Safenet
> </Handler>
> 
> Then the User-Password does not get rewritten before being proxied to
> the Safenet Radius servers.
> 
> Is there something I'm missing, or a better way to accomplish what I'm
> trying to achieve here?
> 
> 
> Best Regards,
> 
> Martin.
> 
> -- 
> Martin Burton
> Principal Systems Administrator            \\\|||///
> Infrastructure Team                       \\  ^ ^  //
> Wellcome Sanger Institute                  (  6 6  )
> -----------------------------------------oOOo-(_)-oOOo---
> t: +44 (0)1223 496945             http://www.sanger.ac.uk
> Extreme Networks Specialist:      a1780000003uG1BAAU
> 
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> https://lists.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
hugh at open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, macOS, Solaris, VMS, NetWare etc.



More information about the radiator mailing list