<div dir="ltr">Hello Heikki, <div><br></div><div>I need one more help. I would like to get a phone number from LDAP ( AD ) and use it in a challenge hook to send SMS to it. </div><div>I tried to set it in auth by ldap2 : </div><div>AuthAttrDef phoneNumber, request</div><div><br></div><div>But it is not working for me. Am I doing it the right way ? Can you please provide me some direction on this ? </div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jan 17, 2022 at 1:21 PM Sagar Malam <<a href="mailto:sagar.malam@ecosmob.com">sagar.malam@ecosmob.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">This works exactly as expected. Thanks a lot Heikki. </div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jan 12, 2022 at 11:32 PM Heikki Vatiainen <<a href="mailto:hvn@open.com.au" target="_blank">hvn@open.com.au</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">A small update to the previous message to clarify the ChallengeHook a <br>
little.<br>
<br>
On 10.1.2022 14.50, Sagar Malam wrote:<br>
<br>
> Thanks for the help. I worked as expected after doing corrections. I <br>
> would like to have EAP support as well. Can you help me with enabling <br>
> that ?<br>
<br>
Please see below for a modifed version of the previous configuration. <br>
Changes are:<br>
- Add new global parameter that tells EAP to use State attribute<br>
- Fix 'Identifier' spelling in AuthBy OTP<br>
- Move State attribute to into the step where it's actually needed<br>
- New Handler that takes care of EAP by converting EAP-GTC to PAP<br>
- Updated <Handler State=auth-otp> to check that State ends with 'auth-otp'<br>
- Leave EAPType enabled only within AuthBy that processes EAP<br>
- ConsumePassword is set to empty to clear the password before OTP<br>
<br>
Things to note: EAP-GTC is supported by converting it to PAP and then <br>
doing the same steps that plain PAP would do. Some extra work is needed <br>
to take care of State attribute that EAP also uses to track its state.<br>
<br>
With EAP the message payload is not encrypted unless the EAP method <br>
itself does this. EAP-GTC does not. You can configure the following to <br>
avoid exposing the static password to Radiator DEBUG level logging (the <br>
parameter allows multiple attribute names too)<br>
<br>
PacketDumpOmitAttributes EAP-Message,User-Password<br>
<br>
Care is also needed when EAP-GTC is transferred without secure tunneling <br>
(EAP-TTLS, PEAP, IPsec, VPN or other method).<br>
<br>
PEAP and other, typically Wi-Fi, methods are not supported by the <br>
configuration. I took a look at the current Laptop and Wireless EAP <br>
clients but the PEAP/EAP-GTC or EAP-TTLS/EAP-GTC still seems to be rare. <br>
OTPs also make frequent Wi-Fi (re)connects a bit troublesome to use.<br>
<br>
Here's the updated configuration. Please let us know how it goes.<br>
<br>
<br>
EAP_UseState 1<br>
<br>
<AuthBy OTP><br>
Identifier otp-authby<br>
PasswordPattern 99999<br>
<br>
# Return undef from ChallengeHook to force reject if State<br>
# already ends with 'auth-otp'. Now it will send a new SMS<br>
# when empty string is entered by the end user.<br>
ChallengeHook sub {my ($self, $user, $p, $context) = @_;\<br>
$context->{otp_password} = $self->generate_password();\<br>
my $state = $p->get_attr('State'); \<br>
$p->{rp}->add_attr('State', 'auth-otp') \<br>
if !$state || $state !~ m/auth-otp\z/s; \<br>
<br>
system('/usr/src/send_sms.sh','NNNNNNNNN',$context->{otp_password});\<br>
return "OTP sent";}<br>
<br>
VerifyHook sub {my ($self, $user, $submitted_pw, $p, $context) = @_;\<br>
return $context->{otp_password} eq $submitted_pw ;}<br>
</AuthBy><br>
<br>
<Handler ExistsInRequest=EAP-Message><br>
<AuthBy FILE><br>
EAPType GTC<br>
Filename /dev/null<br>
EAP_GTC_PAP_Convert<br>
</AuthBy><br>
<br>
# EAP adds State. It's permissible to add more,<br>
# such as AuthBy OTP State value, to the end.<br>
PostProcessingHook sub { my $rp = ${$_[1]}; \<br>
my @states = $rp->get_attr('State'); return if @states != 2; \<br>
$rp->delete_attr('State'); \<br>
$rp->add_attr('State', join('', reverse @states)); }<br>
</Handler><br>
<br>
<Handler State=/auth-otp\z/><br>
AuthBy otp-authby<br>
</Handler><br>
<br>
<Handler><br>
AuthByPolicy ContinueWhileAccept<br>
<AuthBy LDAP2><br>
Host 192.168.0.45<br>
AuthDN CN=XXXXXX ,OU=ServiceAccounts,DC=XXXXX,DC=XXXXX,DC=com<br>
AuthPassword XXXXX<br>
BaseDN DC=XXXXXX,DC=XXXXX,DC=com<br>
ServerChecksPassword<br>
UsernameAttr sAMAccountName<br>
AuthAttrDef logonHours,MS-Login-Hours,check<br>
ConsumePassword<br>
</AuthBy><br>
AuthBy otp-authby<br>
</Handler><br>
<br>
<br>
Thanks,<br>
Heikki<br>
<br>
-- <br>
Heikki Vatiainen<br>
OSC, makers of Radiator<br>
Visit <a href="http://radiatorsoftware.com" rel="noreferrer" target="_blank">radiatorsoftware.com</a> for Radiator AAA server software<br>
_______________________________________________<br>
radiator mailing list<br>
<a href="mailto:radiator@lists.open.com.au" target="_blank">radiator@lists.open.com.au</a><br>
<a href="https://lists.open.com.au/mailman/listinfo/radiator" rel="noreferrer" target="_blank">https://lists.open.com.au/mailman/listinfo/radiator</a></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span style="font-size:12.8px"><br></span></div><div dir="ltr"><span style="font-size:12.8px">Thanks & Regards,</span><br></div></div><div dir="ltr"><span style="font-size:12.8px">Sagar Malam</span><br style="color:rgb(38,50,56);font-size:13px;line-height:16px"><span style="color:rgb(38,50,56);font-size:13px;line-height:16px">Project Leader | Ecosmob Technologies Pvt. Ltd.</span><br style="color:rgb(38,50,56);font-size:13px;line-height:16px"><span style="color:rgb(38,50,56);font-size:13px;line-height:16px">(+91)9601533171 | </span><a rel="nofollow noreferrer" href="http://www.google.com/url?q=http%3A%2F%2Fwww.hodusoft.com&sa=D&sntz=1&usg=AFQjCNHXhIaelhkmhqcPU8D1lt3QoYpm2w" dir="ltr" style="color:rgb(38,50,56);font-size:13px;line-height:16px" target="_blank">www.ecosmob.com</a><br style="color:rgb(38,50,56);font-size:13px;line-height:16px"><span style="color:rgb(38,50,56);font-size:13px;line-height:16px">Skype: sagar.ecosmob</span><br></div></div></div></div></div></div></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span style="font-size:12.8px"><br></span></div><div dir="ltr"><span style="font-size:12.8px">Thanks & Regards,</span><br></div></div><div dir="ltr"><span style="font-size:12.8px">Sagar Malam</span><br style="color:rgb(38,50,56);font-size:13px;line-height:16px"><span style="color:rgb(38,50,56);font-size:13px;line-height:16px">Project Leader | Ecosmob Technologies Pvt. Ltd.</span><br style="color:rgb(38,50,56);font-size:13px;line-height:16px"><span style="color:rgb(38,50,56);font-size:13px;line-height:16px">(+91)9601533171 | </span><a rel="nofollow noreferrer" href="http://www.google.com/url?q=http%3A%2F%2Fwww.hodusoft.com&sa=D&sntz=1&usg=AFQjCNHXhIaelhkmhqcPU8D1lt3QoYpm2w" dir="ltr" style="color:rgb(38,50,56);font-size:13px;line-height:16px" target="_blank">www.ecosmob.com</a><br style="color:rgb(38,50,56);font-size:13px;line-height:16px"><span style="color:rgb(38,50,56);font-size:13px;line-height:16px">Skype: sagar.ecosmob</span><br></div></div></div></div></div></div></div>
<br>
<div><font face="Arial" size="2" style="background-color:white" color="#808080"><b>Disclaimer</b></font></div><div><div><span style="background-color:white;color:rgb(128,128,128);font-family:Arial;font-size:small">In addition to generic Disclaimer which you have agreed on our website, any views or opinions presented in this email are solely those of the originator and do not necessarily represent those of the Company or its sister concerns. Any liability (in negligence, contract or otherwise) arising from any third party taking any action, or refraining from taking any action on the basis of any of the information contained in this email is hereby excluded.</span></div></div><div><span style="background-color:white;color:rgb(128,128,128);font-family:Arial;font-size:small"><br></span></div><div><font face="Arial" size="2" style="background-color:white" color="#808080"><b>Confidentiality</b></font></div><div><font face="Arial" size="2" style="background-color:white" color="#808080">This communication (including any attachment/s) is intended only for the use of the addressee(s) and contains information that is PRIVILEGED AND CONFIDENTIAL. Unauthorized reading, dissemination, distribution, or copying of this communication is prohibited. Please inform originator if you have received it in error.</font></div><div><font face="Arial" size="2" style="background-color:white" color="#808080"><br></font></div><div><span style="background-color:white;color:rgb(128,128,128);font-family:Arial;font-size:small"><b>Caution for viruses, malware etc.</b></span></div><div><font face="Arial" size="2" style="background-color:white" color="#808080">This communication, including any attachments, may not be free of viruses, trojans, similar or new contaminants/malware, interceptions or interference, and may not be compatible with your systems. You shall carry out virus/malware scanning on your own before opening any attachment to this e-mail. The sender of this e-mail and Company including its sister concerns shall not be liable for any damage that may incur to you as a result of viruses, incompleteness of this message, a delay in receipt of this message or any other computer problems. </font></div>