<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Good day.
<div class=""><br class="">
</div>
<div class="">I am working on a project for sending users OTP’s to gain access. I would like to have users authenticate to AD and once accepted use Authby OTP to generate a token and send it to the user via SMS. The user would then enter the OTP and gain
access.</div>
<div class="">I have done a bit of researching and found a config that I am using as a base. <a href="http://www.van-sluis.nl/?p=345" class="">http://www.van-sluis.nl/?p=345</a></div>
<div class="">The Authby LDAP2 in my config is working as expected but the Authby OTP is not. It is a bit confusing at this point as I am unsure how to debug the Authby OTP failure to find the exact issue.</div>
<div class=""><br class="">
</div>
<div class="">My expectation is that if the Authby OTP was working right a one-password would be generated and the sent to the users mobile number found in AD.</div>
<div class=""><br class="">
</div>
<div class="">Any ideas where to start with this one?</div>
<div class=""><br class="">
</div>
<div class="">Cleaned radius.cfg file</div>
<div class="">========</div>
<div class="">
<div class=""># radius.cfg - Niels van Sluis, <<a href="mailto:niels@van-sluis.nl" class="">niels@van-sluis.nl</a>></div>
<div class="">#</div>
<div class=""># Example Radiator configuration file.</div>
<div class="">#</div>
<div class=""># * retrieve mobile number from Directory Server.</div>
<div class=""># * generate and send One-Time Password to mobile number.</div>
<div class=""># * authenticate One-Time Password. </div>
<div class=""><br class="">
</div>
<div class="">LogDir /var/log/radius</div>
<div class="">DbDir<span class="Apple-tab-span" style="white-space:pre"> </span>/etc/radiator</div>
<div class=""># User a lower trace level in production systems:</div>
<div class="">Trace <span class="Apple-tab-span" style="white-space:pre"></span>7</div>
<div class=""><br class="">
</div>
<div class="">AuthPort 1812 </div>
<div class="">AcctPort 1813</div>
<div class=""><br class="">
</div>
<div class=""><Client 1.1.100.8></div>
<div class=""> Secret REDACTED</div>
<div class=""> Identifier juni-sslvpn</div>
<div class=""></Client></div>
<div class=""><br class="">
</div>
<div class=""><AuthBy LDAP2></div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span># Radiator talks to Microsoft AD.</div>
<div class=""> # Try to find mobile number only.</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>Debug 255</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>Identifier<span class="Apple-tab-span" style="white-space:pre">
</span>SSLVPN_LDAP</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>NoDefault</div>
<div class=""> Host<span class="Apple-tab-span" style="white-space:pre"> </span>
1.1.50.80 1.1.50.82</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>Port<span class="Apple-tab-span" style="white-space:pre">
</span>3268</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>BaseDN<span class="Apple-tab-span" style="white-space:pre">
</span></div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>AuthDN<span class="Apple-tab-span" style="white-space:pre">
</span>cn=SVC_REDACTED OU=REDACTED, DC=REDACTED, DC=REDACTED, DC=REDACTED</div>
<div class=""> AuthPassword<span class="Apple-tab-span" style="white-space:pre">
</span>REDACTED</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>Timeout<span class="Apple-tab-span" style="white-space:pre">
</span>2</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>UsernameAttr<span class="Apple-tab-span" style="white-space:pre">
</span>sAMAccountName</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>PasswordAttr</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>ServerChecksPassword</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>HoldServerConnection</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>FailureBackoffTime 0</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span># Get attribute that contains the mobile number.</div>
<div class=""> AuthAttrDef<span class="Apple-tab-span" style="white-space:pre">
</span>MobileNumber</div>
<div class=""><br class="">
</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span># We don't do authentication. Authentication is done by OTP.</div>
<div class=""> #NoCheckPassword</div>
<div class=""><br class="">
</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span># Some code to put the mobile number into memory, so it can be used</div>
<div class=""> # by OTP.</div>
<div class=""> PostSearchHook sub {\</div>
<div class=""> use Radius::Context;\</div>
<div class=""><br class="">
</div>
<div class=""> my $user = $_[1];\</div>
<div class=""> my $attr = ($_[4]->get('MobileNumber'))[0];\</div>
<div class=""><br class="">
</div>
<div class=""> my $context = &Radius::Context::get("otp:$user", 120);\</div>
<div class=""> $context->{mobile_number} = $attr;\</div>
<div class=""> }</div>
<div class=""></AuthBy></div>
<div class=""><br class="">
</div>
<div class=""><AuthBy OTP></div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span># Authenticate based on One-Time Password sent to user by SMS.</div>
<div class=""> Identifier SSLVPN_OTP</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>EAPType One-Time-Password,Generic-Token</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>ChallengeHook sub {my ($self, $user, $p, $context) = @_;\</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>$context->{otp_password} = $self->generate_password();\</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>system('/etc/radiator/otp/sendsms.php', $user, $context->{mobile_number}, $context->{otp_password});\</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>return "Enter One-Time Password"; \</div>
<div class=""> }</div>
<div class=""></AuthBy></div>
<div class=""><br class="">
</div>
<div class=""><AuthBy GROUP></div>
<div class=""> Identifier Check-LDAP-and-OTP</div>
<div class=""> AuthByPolicy ContinueWhileAccept</div>
<div class=""> AuthBy SSLVPN_LDAP</div>
<div class=""> AuthBy SSLVPN_OTP</div>
<div class=""></AuthBY></div>
<div class=""><br class="">
</div>
<div class=""><Handler Client-Identifier = juni-sslvpn></div>
<div class=""> RejectHasReason</div>
<div class=""> AuthBy Check-LDAP-and-OTP</div>
<div class=""></Handler></div>
</div>
<div class="">========</div>
<div class=""><br class="">
</div>
<div class="">Cleaned log output</div>
<div class="">========</div>
<div class="">
<div class="">Sun Dec 20 20:55:03 2015: DEBUG: Packet dump:</div>
<div class="">*** Received from 1.1.100.8 port 48711 ....</div>
<div class=""><br class="">
</div>
<div class="">Packet length = 60</div>
<div class="">01 f9 00 3c 44 f6 a0 c6 d9 45 84 6b 77 b0 3b bd</div>
<div class="">6f 7c a6 a6 01 0a 48 6f 6e 6e 6f 6c 64 4a 02 12</div>
<div class="">38 0e 00 f6 b2 17 6f 3b e0 62 22 b9 36 35 f7 bd</div>
<div class="">06 06 00 00 00 01 04 06 a7 64 64 08</div>
<div class="">Code: Access-Request</div>
<div class="">Identifier: 249</div>
<div class="">Authentic: D<246><160><198><217>E<132>kw<176>;<189>o|<166><166></div>
<div class="">Attributes:</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>User-Name = "ADUSER"</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>User-Password = 8<14><0><246><178><23>o;<224>b"<185>65<247><189></div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>Service-Type = Login-User</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>NAS-IP-Address = 1.1.100.8</div>
<div class=""><br class="">
</div>
<div class="">Sun Dec 20 20:55:03 2015: DEBUG: Handling request with Handler 'Client-Identifier = juni-sslvpn', Identifier ''</div>
<div class="">Sun Dec 20 20:55:03 2015: DEBUG: Deleting session for ADUSER, 1.1.100.8, </div>
<div class="">Sun Dec 20 20:55:03 2015: DEBUG: Handling with Radius::AuthGROUP: Check-LDAP-and-OTP</div>
<div class="">Sun Dec 20 20:55:03 2015: DEBUG: Handling with Radius::AuthLDAP2: SSLVPN_LDAP</div>
<div class="">Sun Dec 20 20:55:03 2015: INFO: Connecting to 1.1.50.80:3268 1.1.50.82:3268</div>
<div class="">Sun Dec 20 20:55:03 2015: INFO: Connected to 1.1.50.80:3268</div>
<div class="">Sun Dec 20 20:55:03 2015: INFO: Attempting to bind to LDAP server 1.1.50.80:3268</div>
<div class="">Sun Dec 20 20:55:03 2015: DEBUG: LDAP got result for CN=AD User,OU=REDACTED,OU=REDACTED,DC=REDACTED,DC=REDACTED,DC=REDACTED</div>
<div class="">Sun Dec 20 20:55:03 2015: DEBUG: Radius::AuthLDAP2 looks for match with ADUSER [ADUSER]</div>
<div class="">Sun Dec 20 20:55:03 2015: DEBUG: Radius::AuthLDAP2 ACCEPT: : ADUSER [ADUSER]</div>
<div class="">Sun Dec 20 20:55:03 2015: DEBUG: Radius::AuthGROUP:Check-LDAP-and-OTP SSLVPN_LDAP result: ACCEPT, </div>
<div class="">Sun Dec 20 20:55:03 2015: DEBUG: Handling with Radius::AuthOTP: SSLVPN_OTP</div>
<div class="">Sun Dec 20 20:55:03 2015: DEBUG: Radius::AuthOTP looks for match with ADUSER [ADUSER]</div>
<div class="">Sun Dec 20 20:55:03 2015: DEBUG: Radius::AuthOTP REJECT: OTP Authentication failed: (): ADUSER [ADUSER]</div>
<div class="">Sun Dec 20 20:55:03 2015: DEBUG: Radius::AuthGROUP:Check-LDAP-and-OTP SSLVPN_OTP result: REJECT, OTP Authentication failed: ()</div>
<div class="">Sun Dec 20 20:55:03 2015: DEBUG: AuthBy GROUP result: REJECT, OTP Authentication failed: ()</div>
<div class="">Sun Dec 20 20:55:03 2015: INFO: Access rejected for ADUSER: OTP Authentication failed: ()</div>
<div class="">Sun Dec 20 20:55:03 2015: DEBUG: Packet dump:</div>
<div class="">*** Sending to 1.1.100.8 port 48711 ....</div>
<div class=""><br class="">
</div>
<div class="">Packet length = 51</div>
<div class="">03 f9 00 33 67 f2 b5 1f 1c 13 63 fc 25 ff d3 79</div>
<div class="">a5 80 d7 c5 12 1f 4f 54 50 20 41 75 74 68 65 6e</div>
<div class="">74 69 63 61 74 69 6f 6e 20 66 61 69 6c 65 64 3a</div>
<div class="">20 28 29</div>
<div class="">Code: Access-Reject</div>
<div class="">Identifier: 249</div>
<div class="">Authentic: g<242><181><31><28><19>c<252>%<255><211>y<165><128><215><197></div>
<div class="">Attributes:</div>
<div class=""><span class="Apple-tab-span" style="white-space:pre"></span>Reply-Message = "OTP Authentication failed: ()"</div>
</div>
<div class=""><br class="">
</div>
</body>
</html>