[RADIATOR] Auth by LDAP2 and TOTP

Sagar Malam sagar.malam at ecosmob.com
Mon Jan 31 12:40:53 UTC 2022 

Hello All ,

I am trying to implement 2FA using LDAP2 and TOTP but i am facing issue
with *ConsumePassword *. I am using ":" to separate LDAP password and TOTP
but when Auth by LDAP receives the password ( PASS:TOTP PIN)  , it consume
both parts of the password and hence LDAP auth fails.

I am testing it using radpwtst like this :
[root at radiator goodies]# /opt/radiator/radiator/radpwtst -noacct -user mike
-password password:123344
sending Access-Request
Rejected: Request Denied


CFG :

<Handler>
  AuthByPolicy ContinueWhileAccept
    <AuthBy LDAP2>
ConsumePassword :
        Host    192.168.0.45
        AuthDN DC=com
        AuthPassword    XXXXXXX
        BaseDN          DC=com
        ServerChecksPassword
        EncryptedPasswordAttr unicodePwd
        UsernameAttr sAMAccountName
        ConsumePassword :
    </AuthBy>
<AuthBy SQLTOTP>
DBSource dbi:mysql:radius
DBUsername mike
DBAuth test
AuthSelect select secret, active, pin, digits, bad_logins,
unix_timestamp(accessed), last_timestep, algorithm, timestep,
timestep_origin from totpkeys where username=?
AuthSelectParam %0
UpdateQuery update totpkeys set accessed=now(), bad_logins=?,
last_timestep=? where username=?
UpdateQueryParam %0
UpdateQueryParam %2
UpdateQueryParam %1
</AuthBy>
</Handler>

==================================
LOGS :

ccd9afa0 Mon Jan 31 07:25:29 2022 257280: DEBUG: AuthBy LDAP2 result:
REJECT, Bad Encrypted password
ccd9afa0 Mon Jan 31 07:25:29 2022 257662: INFO: Access rejected for mike:
Bad Encrypted password
ccd9afa0 Mon Jan 31 07:25:29 2022 258306: DEBUG: Packet dump:
ccd9afa0 *** Sending to 127.0.0.1 port 56705 ....
ccd9afa0 Code:       Access-Reject
ccd9afa0 Identifier: 178
ccd9afa0 Authentic:
 <173><187><218><177><232><218><9>Rj<235>f<202><165><204><190>'
ccd9afa0 Attributes:
ccd9afa0 Reply-Message = "Request Denied"

326fc0b0 Mon Jan 31 07:26:28 2022 066537: DEBUG: Packet dump:
326fc0b0 *** Received from 127.0.0.1 port 35953 ....
326fc0b0 Code:       Access-Request
326fc0b0 Identifier: 131
326fc0b0 Authentic:
 <8><237><192><14><185><143>]G<152><155><207><171>p<162>a<10>
326fc0b0 Attributes:
326fc0b0 User-Name = "mike"
326fc0b0 Service-Type = Framed-User
326fc0b0 NAS-IP-Address = 203.63.154.1
326fc0b0 NAS-Identifier = "203.63.154.1"
326fc0b0 NAS-Port = 1234
326fc0b0 Called-Station-Id = "123456789"
326fc0b0 Calling-Station-Id = "987654321"
326fc0b0 NAS-Port-Type = Async
326fc0b0 User-Password =
J<234><249><188><26>D<248>T<29>9<152><142><175><182>A<217>

326fc0b0 Mon Jan 31 07:26:28 2022 066918: DEBUG: Handling request with
Handler '', Identifier ''
326fc0b0 Mon Jan 31 07:26:28 2022 067174: DEBUG: SessINTERNAL: Deleting
session for mike, 203.63.154.1, 1234
326fc0b0 Mon Jan 31 07:26:28 2022 067326: DEBUG: Handling with
Radius::AuthLDAP2:
00000000 Mon Jan 31 07:26:28 2022 067596: INFO: AuthLDAP2 Connecting to
192.168.0.45 port 389
00000000 Mon Jan 31 07:26:28 2022 069773: INFO: AuthLDAP2 Connected to
192.168.0.45 port 389
00000000 Mon Jan 31 07:26:28 2022 069985: INFO: AuthLDAP2 Attempting to
bind to LDAP server 192.168.0.45 port 389
326fc0b0 Mon Jan 31 07:26:28 2022 074574: DEBUG: AuthLDAP2 Got result with
filter (sAMAccountName=mike) for DN CN=mike,DC=com
326fc0b0 Mon Jan 31 07:26:28 2022 097755: DEBUG: AuthLDAP2
ServerChecksPassword failed for CN=mike,DC=com
326fc0b0 Mon Jan 31 07:26:28 2022 098056: DEBUG: Radius::AuthLDAP2 looks
for match with 'mike' [mike]
326fc0b0 Mon Jan 31 07:26:28 2022 098497: DEBUG: Radius::AuthLDAP2 REJECT:
Bad Encrypted password: 'mike' [mike]
00000000 Mon Jan 31 07:26:28 2022 098704: INFO: AuthLDAP2 Connecting to
192.168.0.45 port 389
00000000 Mon Jan 31 07:26:28 2022 099847: INFO: AuthLDAP2 Connected to
192.168.0.45 port 389
00000000 Mon Jan 31 07:26:28 2022 100137: INFO: AuthLDAP2 Attempting to
bind to LDAP server 192.168.0.45 port 389
326fc0b0 Mon Jan 31 07:26:28 2022 104783: DEBUG: AuthLDAP2 No entries for
'DEFAULT' found in LDAP database with filter (sAMAccountName=DEFAULT)
326fc0b0 Mon Jan 31 07:26:28 2022 105113: DEBUG: AuthBy LDAP2 result:
REJECT, Bad Encrypted password
326fc0b0 Mon Jan 31 07:26:28 2022 105413: INFO: Access rejected for mike:
Bad Encrypted password
326fc0b0 Mon Jan 31 07:26:28 2022 105921: DEBUG: Packet dump:
326fc0b0 *** Sending to 127.0.0.1 port 35953 ....
326fc0b0 Code:       Access-Reject
326fc0b0 Identifier: 131
326fc0b0 Authentic:  y7<179><203>z<170>]<212>R<7><229><218><231>3D<215>
326fc0b0 Attributes:
326fc0b0 Reply-Message = "Request Denied"


Please help me troubleshoot this.


-- 

Thanks & Regards,
Sagar Malam
Project Leader | Ecosmob Technologies Pvt. Ltd.
(+91)9601533171 | www.ecosmob.com
<http://www.google.com/url?q=http%3A%2F%2Fwww.hodusoft.com&sa=D&sntz=1&usg=AFQjCNHXhIaelhkmhqcPU8D1lt3QoYpm2w>
Skype: sagar.ecosmob

-- 
*Disclaimer*
In addition to generic Disclaimer which you have agreed on our 
website, any views or opinions presented in this email are solely those of 
the originator and do not necessarily represent those of the Company or its 
sister concerns. Any liability (in negligence, contract or otherwise) 
arising from any third party taking any action, or refraining from taking 
any action on the basis of any of the information contained in this email 
is hereby excluded.



*Confidentiality*
This communication (including any 
attachment/s) is intended only for the use of the addressee(s) and contains 
information that is PRIVILEGED AND CONFIDENTIAL. Unauthorized reading, 
dissemination, distribution, or copying of this communication is 
prohibited. Please inform originator if you have received it in error.


*Caution for viruses, malware etc.*
This communication, including any 
attachments, may not be free of viruses, trojans, similar or new 
contaminants/malware, interceptions or interference, and may not be 
compatible with your systems. You shall carry out virus/malware scanning on 
your own before opening any attachment to this e-mail. The sender of this 
e-mail and Company including its sister concerns shall not be liable for 
any damage that may incur to you as a result of viruses, incompleteness of 
this message, a delay in receipt of this message or any other computer 
problems. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20220131/fc99e5b4/attachment.html>

More information about the radiator mailing list