[RADIATOR] Auth by LDAP2 and TOTP

Sagar Malam sagar.malam at ecosmob.com
Wed Feb 2 10:12:33 UTC 2022 

Thanks a lot Heikki. Now it works very well !

On Tue, Feb 1, 2022 at 7:38 PM Heikki Vatiainen <hvn at open.com.au> wrote:

> On 31.1.2022 14.40, Sagar Malam wrote:
>
> > I am trying to implement 2FA using LDAP2 and TOTP but i am facing issue
> > with *ConsumePassword *. I am using ":" to separate LDAP password and
> > TOTP but when Auth by LDAP receives the password ( PASS:TOTP PIN)  , it
> > consume both parts of the password and hence LDAP auth fails.
>
> Thanks for reporting this. It seems ConsumePassword does not currently
> work as expected with ServerChecksPassword within AuthBy LDAP2. Briefly:
> because the User-Password attribute is not compared against a value from
> LDAP, it doesn't play well with ConsumePassword.
> However, there's a possibility to do this with different steps. This is
> how it was already possible before ConsumePassword helper.
>
> I recommend also adding 'NoDefault' flag within AuthBy LDAP2 to suppress
> DEFAULT user lookup. 'EncryptedPasswordAttr unicodePwd' should also be
> removed because that LDAP attribute is write-only in AD.
>
> <Handler>
>      AuthByPolicy ContinueWhileAccept
>      <AuthBy INTERNAL>
>          DefaultResult ACCEPT
>          AuthHook sub { my $p = $_[0]; \
>              my @parts = split(m/:/s, $p->decodedPassword(), 2);\
>              $p->{DecodedPassword} = $parts[0]; \
>              return ($main::ACCEPT);}
>      </AuthBy>
>
>      <AuthBy LDAP2>
>         # No need for ConsumePassword
>      </AuthBy>
>
>      # Decrypt User-Password again and use the 2nd part
>      <AuthBy INTERNAL>
>          DefaultResult ACCEPT
>          AuthHook sub { my $p = $_[0]; $p->{DecodedPassword} = undef; \
>              my @parts = split(m/:/s, $p->decodedPassword(), 2);\
>              $p->{DecodedPassword} = $parts[1]; \
>              return ($main::ACCEPT);}
>      </AuthBy>
>
>      <AuthBy SQLTOTP>
>          # No changes here
>      </AuthBY>
> </Handler>
>
> Please let us know how it goes.
>
> Thanks,
> Heikki
>
> > I am testing it using radpwtst like this :
> > [root at radiator goodies]# /opt/radiator/radiator/radpwtst -noacct -user
> > mike -password password:123344
> > sending Access-Request
> > Rejected: Request Denied
> >
> >
> > CFG :
> >
> > <Handler>
> >    AuthByPolicy ContinueWhileAccept
> >      <AuthBy LDAP2>
> > ConsumePassword :
> >          Host    192.168.0.45
> >          AuthDN DC=com
> >          AuthPassword    XXXXXXX
> >          BaseDN          DC=com
> >          ServerChecksPassword
> >          EncryptedPasswordAttr unicodePwd
> >          UsernameAttr sAMAccountName
> >          ConsumePassword :
> >      </AuthBy>
> > <AuthBy SQLTOTP>
> > DBSource dbi:mysql:radius
> > DBUsername mike
> > DBAuth test
> > AuthSelect select secret, active, pin, digits, bad_logins,
> > unix_timestamp(accessed), last_timestep, algorithm, timestep,
> > timestep_origin from totpkeys where username=?
> > AuthSelectParam %0
> > UpdateQuery update totpkeys set accessed=now(), bad_logins=?,
> > last_timestep=? where username=?
> > UpdateQueryParam %0
> > UpdateQueryParam %2
> > UpdateQueryParam %1
> > </AuthBy>
> > </Handler>
> >
> > ==================================
> > LOGS :
> >
> > ccd9afa0 Mon Jan 31 07:25:29 2022 257280: DEBUG: AuthBy LDAP2 result:
> > REJECT, Bad Encrypted password
> > ccd9afa0 Mon Jan 31 07:25:29 2022 257662: INFO: Access rejected for
> > mike: Bad Encrypted password
> > ccd9afa0 Mon Jan 31 07:25:29 2022 258306: DEBUG: Packet dump:
> > ccd9afa0 *** Sending to 127.0.0.1 port 56705 ....
> > ccd9afa0 Code:       Access-Reject
> > ccd9afa0 Identifier: 178
> > ccd9afa0 Authentic:
> >   <173><187><218><177><232><218><9>Rj<235>f<202><165><204><190>'
> > ccd9afa0 Attributes:
> > ccd9afa0 Reply-Message = "Request Denied"
> >
> > 326fc0b0 Mon Jan 31 07:26:28 2022 066537: DEBUG: Packet dump:
> > 326fc0b0 *** Received from 127.0.0.1 port 35953 ....
> > 326fc0b0 Code:       Access-Request
> > 326fc0b0 Identifier: 131
> > 326fc0b0 Authentic:
> >   <8><237><192><14><185><143>]G<152><155><207><171>p<162>a<10>
> > 326fc0b0 Attributes:
> > 326fc0b0 User-Name = "mike"
> > 326fc0b0 Service-Type = Framed-User
> > 326fc0b0 NAS-IP-Address = 203.63.154.1
> > 326fc0b0 NAS-Identifier = "203.63.154.1"
> > 326fc0b0 NAS-Port = 1234
> > 326fc0b0 Called-Station-Id = "123456789"
> > 326fc0b0 Calling-Station-Id = "987654321"
> > 326fc0b0 NAS-Port-Type = Async
> > 326fc0b0 User-Password =
> > J<234><249><188><26>D<248>T<29>9<152><142><175><182>A<217>
> >
> > 326fc0b0 Mon Jan 31 07:26:28 2022 066918: DEBUG: Handling request with
> > Handler '', Identifier ''
> > 326fc0b0 Mon Jan 31 07:26:28 2022 067174: DEBUG: SessINTERNAL: Deleting
> > session for mike, 203.63.154.1, 1234
> > 326fc0b0 Mon Jan 31 07:26:28 2022 067326: DEBUG: Handling with
> > Radius::AuthLDAP2:
> > 00000000 Mon Jan 31 07:26:28 2022 067596: INFO: AuthLDAP2 Connecting to
> > 192.168.0.45 port 389
> > 00000000 Mon Jan 31 07:26:28 2022 069773: INFO: AuthLDAP2 Connected to
> > 192.168.0.45 port 389
> > 00000000 Mon Jan 31 07:26:28 2022 069985: INFO: AuthLDAP2 Attempting to
> > bind to LDAP server 192.168.0.45 port 389
> > 326fc0b0 Mon Jan 31 07:26:28 2022 074574: DEBUG: AuthLDAP2 Got result
> > with filter (sAMAccountName=mike) for DN CN=mike,DC=com
> > 326fc0b0 Mon Jan 31 07:26:28 2022 097755: DEBUG: AuthLDAP2
> > ServerChecksPassword failed for CN=mike,DC=com
> > 326fc0b0 Mon Jan 31 07:26:28 2022 098056: DEBUG: Radius::AuthLDAP2 looks
> > for match with 'mike' [mike]
> > 326fc0b0 Mon Jan 31 07:26:28 2022 098497: DEBUG: Radius::AuthLDAP2
> > REJECT: Bad Encrypted password: 'mike' [mike]
> > 00000000 Mon Jan 31 07:26:28 2022 098704: INFO: AuthLDAP2 Connecting to
> > 192.168.0.45 port 389
> > 00000000 Mon Jan 31 07:26:28 2022 099847: INFO: AuthLDAP2 Connected to
> > 192.168.0.45 port 389
> > 00000000 Mon Jan 31 07:26:28 2022 100137: INFO: AuthLDAP2 Attempting to
> > bind to LDAP server 192.168.0.45 port 389
> > 326fc0b0 Mon Jan 31 07:26:28 2022 104783: DEBUG: AuthLDAP2 No entries
> > for 'DEFAULT' found in LDAP database with filter (sAMAccountName=DEFAULT)
> > 326fc0b0 Mon Jan 31 07:26:28 2022 105113: DEBUG: AuthBy LDAP2 result:
> > REJECT, Bad Encrypted password
> > 326fc0b0 Mon Jan 31 07:26:28 2022 105413: INFO: Access rejected for
> > mike: Bad Encrypted password
> > 326fc0b0 Mon Jan 31 07:26:28 2022 105921: DEBUG: Packet dump:
> > 326fc0b0 *** Sending to 127.0.0.1 port 35953 ....
> > 326fc0b0 Code:       Access-Reject
> > 326fc0b0 Identifier: 131
> > 326fc0b0 Authentic:  y7<179><203>z<170>]<212>R<7><229><218><231>3D<215>
> > 326fc0b0 Attributes:
> > 326fc0b0 Reply-Message = "Request Denied"
> >
> >
> > Please help me troubleshoot this.
> >
> >
> > --
> >
> > Thanks & Regards,
> > Sagar Malam
> > Project Leader | Ecosmob Technologies Pvt. Ltd.
> > (+91)9601533171 | www.ecosmob.com
> > <
> http://www.google.com/url?q=http%3A%2F%2Fwww.hodusoft.com&sa=D&sntz=1&usg=AFQjCNHXhIaelhkmhqcPU8D1lt3QoYpm2w
> >
> > Skype: sagar.ecosmob
> >
> > *Disclaimer*
> > In addition to generic Disclaimer which you have agreed on our website,
> > any views or opinions presented in this email are solely those of the
> > originator and do not necessarily represent those of the Company or its
> > sister concerns. Any liability (in negligence, contract or otherwise)
> > arising from any third party taking any action, or refraining from
> > taking any action on the basis of any of the information contained in
> > this email is hereby excluded.
> >
> > *Confidentiality*
> > This communication (including any attachment/s) is intended only for the
> > use of the addressee(s) and contains information that is PRIVILEGED AND
> > CONFIDENTIAL. Unauthorized reading, dissemination, distribution, or
> > copying of this communication is prohibited. Please inform originator if
> > you have received it in error.
> >
> > *Caution for viruses, malware etc.*
> > This communication, including any attachments, may not be free of
> > viruses, trojans, similar or new contaminants/malware, interceptions or
> > interference, and may not be compatible with your systems. You shall
> > carry out virus/malware scanning on your own before opening any
> > attachment to this e-mail. The sender of this e-mail and Company
> > including its sister concerns shall not be liable for any damage that
> > may incur to you as a result of viruses, incompleteness of this message,
> > a delay in receipt of this message or any other computer problems.
> >
> > _______________________________________________
> > radiator mailing list
> > radiator at lists.open.com.au
> > https://lists.open.com.au/mailman/listinfo/radiator
>
> --
> Heikki Vatiainen
> OSC, makers of Radiator
> Visit radiatorsoftware.com for Radiator AAA server software
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> https://lists.open.com.au/mailman/listinfo/radiator



-- 

Thanks & Regards,
Sagar Malam
Project Leader | Ecosmob Technologies Pvt. Ltd.
(+91)9601533171 | www.ecosmob.com
<http://www.google.com/url?q=http%3A%2F%2Fwww.hodusoft.com&sa=D&sntz=1&usg=AFQjCNHXhIaelhkmhqcPU8D1lt3QoYpm2w>
Skype: sagar.ecosmob

-- 
*Disclaimer*
In addition to generic Disclaimer which you have agreed on our 
website, any views or opinions presented in this email are solely those of 
the originator and do not necessarily represent those of the Company or its 
sister concerns. Any liability (in negligence, contract or otherwise) 
arising from any third party taking any action, or refraining from taking 
any action on the basis of any of the information contained in this email 
is hereby excluded.



*Confidentiality*
This communication (including any 
attachment/s) is intended only for the use of the addressee(s) and contains 
information that is PRIVILEGED AND CONFIDENTIAL. Unauthorized reading, 
dissemination, distribution, or copying of this communication is 
prohibited. Please inform originator if you have received it in error.


*Caution for viruses, malware etc.*
This communication, including any 
attachments, may not be free of viruses, trojans, similar or new 
contaminants/malware, interceptions or interference, and may not be 
compatible with your systems. You shall carry out virus/malware scanning on 
your own before opening any attachment to this e-mail. The sender of this 
e-mail and Company including its sister concerns shall not be liable for 
any damage that may incur to you as a result of viruses, incompleteness of 
this message, a delay in receipt of this message or any other computer 
problems. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20220202/2c9f75bd/attachment-0001.html>

More information about the radiator mailing list