[RADIATOR] Auth by LDAP2 and TOTP
Heikki Vatiainen
hvn at open.com.au
Tue Feb 1 14:06:01 UTC 2022
On 31.1.2022 14.40, Sagar Malam wrote:
> I am trying to implement 2FA using LDAP2 and TOTP but i am facing issue
> with *ConsumePassword *. I am using ":" to separate LDAP password and
> TOTP but when Auth by LDAP receives the password ( PASS:TOTP PIN) , it
> consume both parts of the password and hence LDAP auth fails.
Thanks for reporting this. It seems ConsumePassword does not currently
work as expected with ServerChecksPassword within AuthBy LDAP2. Briefly:
because the User-Password attribute is not compared against a value from
LDAP, it doesn't play well with ConsumePassword.
However, there's a possibility to do this with different steps. This is
how it was already possible before ConsumePassword helper.
I recommend also adding 'NoDefault' flag within AuthBy LDAP2 to suppress
DEFAULT user lookup. 'EncryptedPasswordAttr unicodePwd' should also be
removed because that LDAP attribute is write-only in AD.
<Handler>
AuthByPolicy ContinueWhileAccept
<AuthBy INTERNAL>
DefaultResult ACCEPT
AuthHook sub { my $p = $_[0]; \
my @parts = split(m/:/s, $p->decodedPassword(), 2);\
$p->{DecodedPassword} = $parts[0]; \
return ($main::ACCEPT);}
</AuthBy>
<AuthBy LDAP2>
# No need for ConsumePassword
</AuthBy>
# Decrypt User-Password again and use the 2nd part
<AuthBy INTERNAL>
DefaultResult ACCEPT
AuthHook sub { my $p = $_[0]; $p->{DecodedPassword} = undef; \
my @parts = split(m/:/s, $p->decodedPassword(), 2);\
$p->{DecodedPassword} = $parts[1]; \
return ($main::ACCEPT);}
</AuthBy>
<AuthBy SQLTOTP>
# No changes here
</AuthBY>
</Handler>
Please let us know how it goes.
Thanks,
Heikki
> I am testing it using radpwtst like this :
> [root at radiator goodies]# /opt/radiator/radiator/radpwtst -noacct -user
> mike -password password:123344
> sending Access-Request
> Rejected: Request Denied
>
>
> CFG :
>
> <Handler>
> AuthByPolicy ContinueWhileAccept
> <AuthBy LDAP2>
> ConsumePassword :
> Host 192.168.0.45
> AuthDN DC=com
> AuthPassword XXXXXXX
> BaseDN DC=com
> ServerChecksPassword
> EncryptedPasswordAttr unicodePwd
> UsernameAttr sAMAccountName
> ConsumePassword :
> </AuthBy>
> <AuthBy SQLTOTP>
> DBSource dbi:mysql:radius
> DBUsername mike
> DBAuth test
> AuthSelect select secret, active, pin, digits, bad_logins,
> unix_timestamp(accessed), last_timestep, algorithm, timestep,
> timestep_origin from totpkeys where username=?
> AuthSelectParam %0
> UpdateQuery update totpkeys set accessed=now(), bad_logins=?,
> last_timestep=? where username=?
> UpdateQueryParam %0
> UpdateQueryParam %2
> UpdateQueryParam %1
> </AuthBy>
> </Handler>
>
> ==================================
> LOGS :
>
> ccd9afa0 Mon Jan 31 07:25:29 2022 257280: DEBUG: AuthBy LDAP2 result:
> REJECT, Bad Encrypted password
> ccd9afa0 Mon Jan 31 07:25:29 2022 257662: INFO: Access rejected for
> mike: Bad Encrypted password
> ccd9afa0 Mon Jan 31 07:25:29 2022 258306: DEBUG: Packet dump:
> ccd9afa0 *** Sending to 127.0.0.1 port 56705 ....
> ccd9afa0 Code: Access-Reject
> ccd9afa0 Identifier: 178
> ccd9afa0 Authentic:
> <173><187><218><177><232><218><9>Rj<235>f<202><165><204><190>'
> ccd9afa0 Attributes:
> ccd9afa0 Reply-Message = "Request Denied"
>
> 326fc0b0 Mon Jan 31 07:26:28 2022 066537: DEBUG: Packet dump:
> 326fc0b0 *** Received from 127.0.0.1 port 35953 ....
> 326fc0b0 Code: Access-Request
> 326fc0b0 Identifier: 131
> 326fc0b0 Authentic:
> <8><237><192><14><185><143>]G<152><155><207><171>p<162>a<10>
> 326fc0b0 Attributes:
> 326fc0b0 User-Name = "mike"
> 326fc0b0 Service-Type = Framed-User
> 326fc0b0 NAS-IP-Address = 203.63.154.1
> 326fc0b0 NAS-Identifier = "203.63.154.1"
> 326fc0b0 NAS-Port = 1234
> 326fc0b0 Called-Station-Id = "123456789"
> 326fc0b0 Calling-Station-Id = "987654321"
> 326fc0b0 NAS-Port-Type = Async
> 326fc0b0 User-Password =
> J<234><249><188><26>D<248>T<29>9<152><142><175><182>A<217>
>
> 326fc0b0 Mon Jan 31 07:26:28 2022 066918: DEBUG: Handling request with
> Handler '', Identifier ''
> 326fc0b0 Mon Jan 31 07:26:28 2022 067174: DEBUG: SessINTERNAL: Deleting
> session for mike, 203.63.154.1, 1234
> 326fc0b0 Mon Jan 31 07:26:28 2022 067326: DEBUG: Handling with
> Radius::AuthLDAP2:
> 00000000 Mon Jan 31 07:26:28 2022 067596: INFO: AuthLDAP2 Connecting to
> 192.168.0.45 port 389
> 00000000 Mon Jan 31 07:26:28 2022 069773: INFO: AuthLDAP2 Connected to
> 192.168.0.45 port 389
> 00000000 Mon Jan 31 07:26:28 2022 069985: INFO: AuthLDAP2 Attempting to
> bind to LDAP server 192.168.0.45 port 389
> 326fc0b0 Mon Jan 31 07:26:28 2022 074574: DEBUG: AuthLDAP2 Got result
> with filter (sAMAccountName=mike) for DN CN=mike,DC=com
> 326fc0b0 Mon Jan 31 07:26:28 2022 097755: DEBUG: AuthLDAP2
> ServerChecksPassword failed for CN=mike,DC=com
> 326fc0b0 Mon Jan 31 07:26:28 2022 098056: DEBUG: Radius::AuthLDAP2 looks
> for match with 'mike' [mike]
> 326fc0b0 Mon Jan 31 07:26:28 2022 098497: DEBUG: Radius::AuthLDAP2
> REJECT: Bad Encrypted password: 'mike' [mike]
> 00000000 Mon Jan 31 07:26:28 2022 098704: INFO: AuthLDAP2 Connecting to
> 192.168.0.45 port 389
> 00000000 Mon Jan 31 07:26:28 2022 099847: INFO: AuthLDAP2 Connected to
> 192.168.0.45 port 389
> 00000000 Mon Jan 31 07:26:28 2022 100137: INFO: AuthLDAP2 Attempting to
> bind to LDAP server 192.168.0.45 port 389
> 326fc0b0 Mon Jan 31 07:26:28 2022 104783: DEBUG: AuthLDAP2 No entries
> for 'DEFAULT' found in LDAP database with filter (sAMAccountName=DEFAULT)
> 326fc0b0 Mon Jan 31 07:26:28 2022 105113: DEBUG: AuthBy LDAP2 result:
> REJECT, Bad Encrypted password
> 326fc0b0 Mon Jan 31 07:26:28 2022 105413: INFO: Access rejected for
> mike: Bad Encrypted password
> 326fc0b0 Mon Jan 31 07:26:28 2022 105921: DEBUG: Packet dump:
> 326fc0b0 *** Sending to 127.0.0.1 port 35953 ....
> 326fc0b0 Code: Access-Reject
> 326fc0b0 Identifier: 131
> 326fc0b0 Authentic: y7<179><203>z<170>]<212>R<7><229><218><231>3D<215>
> 326fc0b0 Attributes:
> 326fc0b0 Reply-Message = "Request Denied"
>
>
> Please help me troubleshoot this.
>
>
> --
>
> Thanks & Regards,
> Sagar Malam
> Project Leader | Ecosmob Technologies Pvt. Ltd.
> (+91)9601533171 | www.ecosmob.com
> <http://www.google.com/url?q=http%3A%2F%2Fwww.hodusoft.com&sa=D&sntz=1&usg=AFQjCNHXhIaelhkmhqcPU8D1lt3QoYpm2w>
> Skype: sagar.ecosmob
>
> *Disclaimer*
> In addition to generic Disclaimer which you have agreed on our website,
> any views or opinions presented in this email are solely those of the
> originator and do not necessarily represent those of the Company or its
> sister concerns. Any liability (in negligence, contract or otherwise)
> arising from any third party taking any action, or refraining from
> taking any action on the basis of any of the information contained in
> this email is hereby excluded.
>
> *Confidentiality*
> This communication (including any attachment/s) is intended only for the
> use of the addressee(s) and contains information that is PRIVILEGED AND
> CONFIDENTIAL. Unauthorized reading, dissemination, distribution, or
> copying of this communication is prohibited. Please inform originator if
> you have received it in error.
>
> *Caution for viruses, malware etc.*
> This communication, including any attachments, may not be free of
> viruses, trojans, similar or new contaminants/malware, interceptions or
> interference, and may not be compatible with your systems. You shall
> carry out virus/malware scanning on your own before opening any
> attachment to this e-mail. The sender of this e-mail and Company
> including its sister concerns shall not be liable for any damage that
> may incur to you as a result of viruses, incompleteness of this message,
> a delay in receipt of this message or any other computer problems.
>
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> https://lists.open.com.au/mailman/listinfo/radiator
--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
More information about the radiator
mailing list