<div dir="ltr">Hello All , <div><br></div><div>I am trying to implement 2FA using LDAP2 and TOTP but i am facing issue with <b>ConsumePassword </b>. I am using ":" to separate LDAP password and TOTP but when Auth by LDAP receives the password ( PASS:TOTP PIN) , it consume both parts of the password and hence LDAP auth fails. </div><div><br></div><div>I am testing it using radpwtst like this : </div><div>[root@radiator goodies]# /opt/radiator/radiator/radpwtst -noacct -user mike -password password:123344<br>sending Access-Request<br>Rejected: Request Denied<br></div><div><br></div><div><br></div><div>CFG : <br></div><div><br></div><div><Handler><br> AuthByPolicy ContinueWhileAccept<br> <AuthBy LDAP2><br> ConsumePassword :<br> Host 192.168.0.45<br> AuthDN DC=com<br> AuthPassword XXXXXXX<br> BaseDN DC=com <br> ServerChecksPassword<br> EncryptedPasswordAttr unicodePwd<br> UsernameAttr sAMAccountName</div><div> ConsumePassword :<br> </AuthBy><br> <AuthBy SQLTOTP><br>DBSource dbi:mysql:radius<br> DBUsername mike<br> DBAuth test<br>AuthSelect select secret, active, pin, digits, bad_logins, unix_timestamp(accessed), last_timestep, algorithm, timestep, timestep_origin from totpkeys where username=?<br> AuthSelectParam %0<br>UpdateQuery update totpkeys set accessed=now(), bad_logins=?, last_timestep=? where username=?<br> UpdateQueryParam %0<br> UpdateQueryParam %2<br> UpdateQueryParam %1<br></AuthBy><br></Handler></div><div><br></div><div>==================================</div><div>LOGS : </div><div><br></div><div>ccd9afa0 Mon Jan 31 07:25:29 2022 257280: DEBUG: AuthBy LDAP2 result: REJECT, Bad Encrypted password<br>ccd9afa0 Mon Jan 31 07:25:29 2022 257662: INFO: Access rejected for mike: Bad Encrypted password<br>ccd9afa0 Mon Jan 31 07:25:29 2022 258306: DEBUG: Packet dump:<br>ccd9afa0 *** Sending to 127.0.0.1 port 56705 ....<br>ccd9afa0 Code: Access-Reject<br>ccd9afa0 Identifier: 178<br>ccd9afa0 Authentic: <173><187><218><177><232><218><9>Rj<235>f<202><165><204><190>'<br>ccd9afa0 Attributes:<br>ccd9afa0 Reply-Message = "Request Denied"<br><br>326fc0b0 Mon Jan 31 07:26:28 2022 066537: DEBUG: Packet dump:<br>326fc0b0 *** Received from 127.0.0.1 port 35953 ....<br>326fc0b0 Code: Access-Request<br>326fc0b0 Identifier: 131<br>326fc0b0 Authentic: <8><237><192><14><185><143>]G<152><155><207><171>p<162>a<10><br>326fc0b0 Attributes:<br>326fc0b0 User-Name = "mike"<br>326fc0b0 Service-Type = Framed-User<br>326fc0b0 NAS-IP-Address = 203.63.154.1<br>326fc0b0 NAS-Identifier = "203.63.154.1"<br>326fc0b0 NAS-Port = 1234<br>326fc0b0 Called-Station-Id = "123456789"<br>326fc0b0 Calling-Station-Id = "987654321"<br>326fc0b0 NAS-Port-Type = Async<br>326fc0b0 User-Password = J<234><249><188><26>D<248>T<29>9<152><142><175><182>A<217><br><br>326fc0b0 Mon Jan 31 07:26:28 2022 066918: DEBUG: Handling request with Handler '', Identifier ''<br>326fc0b0 Mon Jan 31 07:26:28 2022 067174: DEBUG: SessINTERNAL: Deleting session for mike, 203.63.154.1, 1234<br>326fc0b0 Mon Jan 31 07:26:28 2022 067326: DEBUG: Handling with Radius::AuthLDAP2: <br>00000000 Mon Jan 31 07:26:28 2022 067596: INFO: AuthLDAP2 Connecting to 192.168.0.45 port 389<br>00000000 Mon Jan 31 07:26:28 2022 069773: INFO: AuthLDAP2 Connected to 192.168.0.45 port 389<br>00000000 Mon Jan 31 07:26:28 2022 069985: INFO: AuthLDAP2 Attempting to bind to LDAP server 192.168.0.45 port 389<br>326fc0b0 Mon Jan 31 07:26:28 2022 074574: DEBUG: AuthLDAP2 Got result with filter (sAMAccountName=mike) for DN CN=mike,DC=com<br>326fc0b0 Mon Jan 31 07:26:28 2022 097755: DEBUG: AuthLDAP2 ServerChecksPassword failed for CN=mike,DC=com<br>326fc0b0 Mon Jan 31 07:26:28 2022 098056: DEBUG: Radius::AuthLDAP2 looks for match with 'mike' [mike]<br>326fc0b0 Mon Jan 31 07:26:28 2022 098497: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted password: 'mike' [mike]<br>00000000 Mon Jan 31 07:26:28 2022 098704: INFO: AuthLDAP2 Connecting to 192.168.0.45 port 389<br>00000000 Mon Jan 31 07:26:28 2022 099847: INFO: AuthLDAP2 Connected to 192.168.0.45 port 389<br>00000000 Mon Jan 31 07:26:28 2022 100137: INFO: AuthLDAP2 Attempting to bind to LDAP server 192.168.0.45 port 389<br>326fc0b0 Mon Jan 31 07:26:28 2022 104783: DEBUG: AuthLDAP2 No entries for 'DEFAULT' found in LDAP database with filter (sAMAccountName=DEFAULT)<br>326fc0b0 Mon Jan 31 07:26:28 2022 105113: DEBUG: AuthBy LDAP2 result: REJECT, Bad Encrypted password<br>326fc0b0 Mon Jan 31 07:26:28 2022 105413: INFO: Access rejected for mike: Bad Encrypted password<br>326fc0b0 Mon Jan 31 07:26:28 2022 105921: DEBUG: Packet dump:<br>326fc0b0 *** Sending to 127.0.0.1 port 35953 ....<br>326fc0b0 Code: Access-Reject<br>326fc0b0 Identifier: 131<br>326fc0b0 Authentic: y7<179><203>z<170>]<212>R<7><229><218><231>3D<215><br>326fc0b0 Attributes:<br>326fc0b0 Reply-Message = "Request Denied"<br></div><div><br></div><div><br></div><div>Please help me troubleshoot this.</div><div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span style="font-size:12.8px"><br></span></div><div dir="ltr"><span style="font-size:12.8px">Thanks & Regards,</span><br></div></div><div dir="ltr"><span style="font-size:12.8px">Sagar Malam</span><br style="color:rgb(38,50,56);font-size:13px;line-height:16px"><span style="color:rgb(38,50,56);font-size:13px;line-height:16px">Project Leader | Ecosmob Technologies Pvt. Ltd.</span><br style="color:rgb(38,50,56);font-size:13px;line-height:16px"><span style="color:rgb(38,50,56);font-size:13px;line-height:16px">(+91)9601533171 | </span><a rel="nofollow noreferrer" href="http://www.google.com/url?q=http%3A%2F%2Fwww.hodusoft.com&sa=D&sntz=1&usg=AFQjCNHXhIaelhkmhqcPU8D1lt3QoYpm2w" dir="ltr" style="color:rgb(38,50,56);font-size:13px;line-height:16px" target="_blank">www.ecosmob.com</a><br style="color:rgb(38,50,56);font-size:13px;line-height:16px"><span style="color:rgb(38,50,56);font-size:13px;line-height:16px">Skype: sagar.ecosmob</span><br></div></div></div></div></div></div></div></div></div>
<br>
<div><font face="Arial" size="2" style="background-color:white" color="#808080"><b>Disclaimer</b></font></div><div><div><span style="background-color:white;color:rgb(128,128,128);font-family:Arial;font-size:small">In addition to generic Disclaimer which you have agreed on our website, any views or opinions presented in this email are solely those of the originator and do not necessarily represent those of the Company or its sister concerns. Any liability (in negligence, contract or otherwise) arising from any third party taking any action, or refraining from taking any action on the basis of any of the information contained in this email is hereby excluded.</span></div></div><div><span style="background-color:white;color:rgb(128,128,128);font-family:Arial;font-size:small"><br></span></div><div><font face="Arial" size="2" style="background-color:white" color="#808080"><b>Confidentiality</b></font></div><div><font face="Arial" size="2" style="background-color:white" color="#808080">This communication (including any attachment/s) is intended only for the use of the addressee(s) and contains information that is PRIVILEGED AND CONFIDENTIAL. Unauthorized reading, dissemination, distribution, or copying of this communication is prohibited. Please inform originator if you have received it in error.</font></div><div><font face="Arial" size="2" style="background-color:white" color="#808080"><br></font></div><div><span style="background-color:white;color:rgb(128,128,128);font-family:Arial;font-size:small"><b>Caution for viruses, malware etc.</b></span></div><div><font face="Arial" size="2" style="background-color:white" color="#808080">This communication, including any attachments, may not be free of viruses, trojans, similar or new contaminants/malware, interceptions or interference, and may not be compatible with your systems. You shall carry out virus/malware scanning on your own before opening any attachment to this e-mail. The sender of this e-mail and Company including its sister concerns shall not be liable for any damage that may incur to you as a result of viruses, incompleteness of this message, a delay in receipt of this message or any other computer problems. </font></div>