[RADIATOR] 2 Factor authentication via Authby LDAP2 and Authby OTP

Heikki Vatiainen hvn at open.com.au
Fri Jan 7 12:22:42 UTC 2022 

On 6.1.2022 14.31, Sagar Malam wrote:

> Thanks for the help. I tried the approach with authby OTP that you 
> suggested but once Authby LDAP2 is processed , Authby OTP is not getting 
> executed instead Access-Accept is sent to  client.

Thanks for the log and config. It seems I made a typo in my previous reply:

> Config File :
> 
> <AuthBy OTP>
>          Identifer otp-authby

This should be 'Identifier'. One 'i' is missing. When this happens there 
are error and warning level log messages because of this and missing 
reference from <Handler>. Remember to check the startup log messages too 
when troubleshooting.

>      EAPType One-Time-Password,Generic-Token

I'd also remove EAPType parameters for now. If you need to support EAP, 
then it should be tested separately to see that the processing works 
with EAP and see what updates might be needed.

Note that there's also EAPType in AuthBy LDAP2 clause below.

> <Handler>
>      AuthByPolicy ContinueWhileAccept
>      <AuthBy LDAP2>
>       Host    192.168.0.45
>      EAPType One-Time-Password,Generic-Token
>      AuthDN CN=XXXXXX ,OU=ServiceAccounts,DC=XXXXX,DC=XXXXX,DC=com
>      AuthPassword    XXXXX
>      BaseDN        DC=XXXXXX,DC=XXXXX,DC=com
>      ServerChecksPassword
>      UsernameAttr sAMAccountName
>      AuthAttrDef logonHours,MS-Login-Hours,check
>      ConsumePassword ,

Change this to 'ConsumePassword'. That is, let it empty the password 
completely. In some cases both static and one-time password are sent 
together and need to split, but not this time.

https://files.radiatorsoftware.com/radiator/ref/ConsumePassword.html


>      </AuthBy>
>      AuthBy otp-authby
> </Handler>
> 
> Error Log : https://paste-bin.xyz/30722 <https://paste-bin.xyz/30722>
> 
> [root at radiator goodies]# /opt/radiator/radiator/radpwtst -noacct 
> -password '' -user XXXXX -password XXXX
> sending Access-Request
> OK

Use '-trace 4' with rdpwtst to see in detail what it sends and receives. 
With multi-round authentication, also add '-interactive' flag to tell 
radpwtst that more than a single request is needed.

Thanks,
Heikki

-- 
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software

More information about the radiator mailing list