[RADIATOR] 2 Factor authentication via Authby LDAP2 and Authby OTP

Heikki Vatiainen hvn at open.com.au
Wed Jan 12 18:01:22 UTC 2022


A small update to the previous message to clarify the ChallengeHook a 
little.

On 10.1.2022 14.50, Sagar Malam wrote:

> Thanks for the help. I worked as expected after doing corrections. I 
> would like to have EAP support as well. Can you help me with enabling 
> that  ?

Please see below for a modifed version of the previous configuration. 
Changes are:
- Add new global parameter that tells EAP to use State attribute
- Fix 'Identifier' spelling in AuthBy OTP
- Move State attribute to into the step where it's actually needed
- New Handler that takes care of EAP by converting EAP-GTC to PAP
- Updated <Handler State=auth-otp> to check that State ends with 'auth-otp'
- Leave EAPType enabled only within AuthBy that processes EAP
- ConsumePassword is set to empty to clear the password before OTP

Things to note: EAP-GTC is supported by converting it to PAP and then 
doing the same steps that plain PAP would do. Some extra work is needed 
to take care of State attribute that EAP also uses to track its state.

With EAP the message payload is not encrypted unless the EAP method 
itself does this. EAP-GTC does not. You can configure the following to 
avoid exposing the static password to Radiator DEBUG level logging (the 
parameter allows multiple attribute names too)

   PacketDumpOmitAttributes EAP-Message,User-Password

Care is also needed when EAP-GTC is transferred without secure tunneling 
(EAP-TTLS, PEAP, IPsec, VPN or other method).

PEAP and other, typically Wi-Fi, methods are not supported by the 
configuration. I took a look at the current Laptop and Wireless EAP 
clients but the PEAP/EAP-GTC or EAP-TTLS/EAP-GTC still seems to be rare. 
OTPs also make frequent Wi-Fi (re)connects a bit troublesome to use.

Here's the updated configuration. Please let us know how it goes.


EAP_UseState 1

<AuthBy OTP>
     Identifier otp-authby
     PasswordPattern 99999

     # Return undef from ChallengeHook to force reject if State
     # already ends with 'auth-otp'. Now it will send a new SMS
     # when empty string is entered by the end user.
     ChallengeHook sub {my ($self, $user, $p, $context) = @_;\
         $context->{otp_password} = $self->generate_password();\
         my $state = $p->get_attr('State'); \
         $p->{rp}->add_attr('State', 'auth-otp') \
             if !$state || $state !~ m/auth-otp\z/s; \
 
system('/usr/src/send_sms.sh','NNNNNNNNN',$context->{otp_password});\
         return "OTP sent";}

     VerifyHook sub {my ($self, $user, $submitted_pw, $p, $context) = @_;\
         return $context->{otp_password} eq $submitted_pw ;}
</AuthBy>

<Handler ExistsInRequest=EAP-Message>
      <AuthBy FILE>
          EAPType GTC
          Filename /dev/null
          EAP_GTC_PAP_Convert
      </AuthBy>

      # EAP adds State. It's permissible to add more,
      # such as AuthBy OTP State value, to the end.
      PostProcessingHook sub { my $rp = ${$_[1]}; \
           my @states = $rp->get_attr('State'); return if @states != 2; \
           $rp->delete_attr('State'); \
           $rp->add_attr('State', join('', reverse @states)); }
</Handler>

<Handler State=/auth-otp\z/>
     AuthBy otp-authby
</Handler>

<Handler>
     AuthByPolicy ContinueWhileAccept
     <AuthBy LDAP2>
         Host    192.168.0.45
         AuthDN CN=XXXXXX ,OU=ServiceAccounts,DC=XXXXX,DC=XXXXX,DC=com
         AuthPassword    XXXXX
         BaseDN        DC=XXXXXX,DC=XXXXX,DC=com
         ServerChecksPassword
         UsernameAttr sAMAccountName
         AuthAttrDef logonHours,MS-Login-Hours,check
         ConsumePassword
     </AuthBy>
     AuthBy otp-authby
</Handler>


Thanks,
Heikki

-- 
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software


More information about the radiator mailing list