<div dir="ltr"><p>Hello Heikki, <br>
</p>
<p>Thanks for the help. I tried the approach with authby OTP that you
suggested but once Authby LDAP2 is processed , Authby OTP is not getting
executed instead Access-Accept is sent to client. <br>
</p>
<p><br>
</p>
<p>Config File : <br>
</p>
<p><AuthBy OTP><br>
Identifer otp-authby<br>
EAPType One-Time-Password,Generic-Token<br>
PasswordPattern 99999<br>
<br>
ChallengeHook sub {my ($self, $user, $p, $context) = @_;\<br>
$context->{otp_password} = $self->generate_password();\<br>
system('/usr/src/send_sms.sh','NNNNNNNNN',$context->{otp_password});\<br>
return "OTP sent";}<br>
<br>
AddToReply State="auth-otp"<br>
VerifyHook sub {my ($self, $user, $submitted_pw, $p, $context) = @_;\<br>
return $context->{otp_password} eq $submitted_pw ;}<br>
</AuthBy><br>
<br>
<Handler State=auth-otp><br>
AuthBy otp-authby<br>
</Handler><br>
<br>
<Handler><br>
AuthByPolicy ContinueWhileAccept<br>
<AuthBy LDAP2><br>
Host 192.168.0.45<br>
EAPType One-Time-Password,Generic-Token<br>
AuthDN CN=XXXXXX ,OU=ServiceAccounts,DC=XXXXX,DC=XXXXX,DC=com<br>
AuthPassword XXXXX<br>
BaseDN DC=XXXXXX,DC=XXXXX,DC=com<br>
ServerChecksPassword<br>
UsernameAttr sAMAccountName<br>
AuthAttrDef logonHours,MS-Login-Hours,check<br>
ConsumePassword ,<br>
</AuthBy><br>
AuthBy otp-authby<br>
</Handler> <br>
</p>
<p>Error Log : <a href="https://paste-bin.xyz/30722">https://paste-bin.xyz/30722</a></p>
<p>[root@radiator goodies]# /opt/radiator/radiator/radpwtst -noacct -password '' -user XXXXX -password XXXX<br>
sending Access-Request<br>
OK<br>
[root@radiator goodies]#</p><p><br></p><p><br></p></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jan 5, 2022 at 6:08 PM Heikki Vatiainen <<a href="mailto:hvn@open.com.au">hvn@open.com.au</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 4.1.2022 12.15, Sagar Malam wrote:<br>
<br>
> I am new to radiator and perl.I would like to implement 2FA using Authby <br>
> LDAP2 and Authby OTP but i am not able to find any examples for <br>
> implementing the same over the internet.<br>
<br>
Please see goodies/duo.cfg together with goodies/otp.cfg<br>
<br>
duo.cfg shows how to check password against a file, can be SQL, LDAP, <br>
etc. too, and then pass the request, if successful so far, to the second <br>
factor. In this case there's no Access-Challenge required, just one <br>
Access-Request followed by access or reject, and it works with plain PAP <br>
and EAP-TTLS/PAP.<br>
<br>
If you'd like to use AuthBy OTP, something like this could work:<br>
<br>
<AuthBy OTP><br>
Identifer otp-authby<br>
# Add to Access-Challenge State attribute with value 'auth-otp'<br>
# This is done in the ChallengeHook<br>
</AutHBy><br>
<br>
<Handler State=auth-otp><br>
AuthBy otp-authby<br>
</Handler><br>
<br>
<Handler><br>
AuthByPolicy ContinueWhileAccept<br>
<AuthBy LDAP2><br>
ConsumePassword<br>
</AuthBy><br>
AuthBy otp-authby<br>
</Handler><br>
<br>
<br>
The user first logs in with their LDAP password. If successful, password <br>
is cleared from the request and AuthBy OTP is called for the first time. <br>
This triggers ChallengeHook. Within the ChallengeHook, add State <br>
attribute so that the subsequent Access-Accept, that now contains the <br>
one-time-password, caught by <Handler State=auth-otp>.<br>
<br>
What the above requires is PAP and that the authentication client <br>
software the user has understands Radius Access-Challenge.<br>
<br>
Using EAP-TTLS/PAP could also work. In this case the correct use of <br>
State attribute needs to be checked.<br>
<br>
Note that the above is plain Radius where a RADIUS client sends requests <br>
to Radiator. If you'd need to have an integration to web services, that <br>
can be problematic as Dubravko wrote earlier.<br>
<br>
Thanks,<br>
Heikki<br>
<br>
-- <br>
Heikki Vatiainen<br>
OSC, makers of Radiator<br>
Visit <a href="http://radiatorsoftware.com" rel="noreferrer" target="_blank">radiatorsoftware.com</a> for Radiator AAA server software<br>
_______________________________________________<br>
radiator mailing list<br>
<a href="mailto:radiator@lists.open.com.au" target="_blank">radiator@lists.open.com.au</a><br>
<a href="https://lists.open.com.au/mailman/listinfo/radiator" rel="noreferrer" target="_blank">https://lists.open.com.au/mailman/listinfo/radiator</a></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span style="font-size:12.8px"><br></span></div><div dir="ltr"><span style="font-size:12.8px">Thanks & Regards,</span><br></div></div><div dir="ltr"><span style="font-size:12.8px">Sagar Malam</span><br style="color:rgb(38,50,56);font-size:13px;line-height:16px"><span style="color:rgb(38,50,56);font-size:13px;line-height:16px">Project Leader | Ecosmob Technologies Pvt. Ltd.</span><br style="color:rgb(38,50,56);font-size:13px;line-height:16px"><span style="color:rgb(38,50,56);font-size:13px;line-height:16px">(+91)9601533171 | </span><a rel="nofollow noreferrer" href="http://www.google.com/url?q=http%3A%2F%2Fwww.hodusoft.com&sa=D&sntz=1&usg=AFQjCNHXhIaelhkmhqcPU8D1lt3QoYpm2w" dir="ltr" style="color:rgb(38,50,56);font-size:13px;line-height:16px" target="_blank">www.ecosmob.com</a><br style="color:rgb(38,50,56);font-size:13px;line-height:16px"><span style="color:rgb(38,50,56);font-size:13px;line-height:16px">Skype: sagar.ecosmob</span><br></div></div></div></div></div></div></div>
<br>
<div><font face="Arial" size="2" style="background-color:white" color="#808080"><b>Disclaimer</b></font></div><div><div><span style="background-color:white;color:rgb(128,128,128);font-family:Arial;font-size:small">In addition to generic Disclaimer which you have agreed on our website, any views or opinions presented in this email are solely those of the originator and do not necessarily represent those of the Company or its sister concerns. Any liability (in negligence, contract or otherwise) arising from any third party taking any action, or refraining from taking any action on the basis of any of the information contained in this email is hereby excluded.</span></div></div><div><span style="background-color:white;color:rgb(128,128,128);font-family:Arial;font-size:small"><br></span></div><div><font face="Arial" size="2" style="background-color:white" color="#808080"><b>Confidentiality</b></font></div><div><font face="Arial" size="2" style="background-color:white" color="#808080">This communication (including any attachment/s) is intended only for the use of the addressee(s) and contains information that is PRIVILEGED AND CONFIDENTIAL. Unauthorized reading, dissemination, distribution, or copying of this communication is prohibited. Please inform originator if you have received it in error.</font></div><div><font face="Arial" size="2" style="background-color:white" color="#808080"><br></font></div><div><span style="background-color:white;color:rgb(128,128,128);font-family:Arial;font-size:small"><b>Caution for viruses, malware etc.</b></span></div><div><font face="Arial" size="2" style="background-color:white" color="#808080">This communication, including any attachments, may not be free of viruses, trojans, similar or new contaminants/malware, interceptions or interference, and may not be compatible with your systems. You shall carry out virus/malware scanning on your own before opening any attachment to this e-mail. The sender of this e-mail and Company including its sister concerns shall not be liable for any damage that may incur to you as a result of viruses, incompleteness of this message, a delay in receipt of this message or any other computer problems. </font></div>