Good day. I am working on a project for sending users OTP’s to gain access. I would like to have users authenticate to AD and once accepted use Authby OTP to generate a token and send it to the user via SMS. The user would then enter the OTP and gain access. I have done a bit of researching and found a config that I am using as a base. http://www.van-sluis.nl/?p=345 The Authby LDAP2 in my config is working as expected but the Authby OTP is not. It is a bit confusing at this point as I am unsure how to debug the Authby OTP failure to find the exact issue.
My expectation is that if the Authby OTP was working right a one-password would be generated and the sent to the users mobile number found in AD. Any ideas where to start with this one? Cleaned radius.cfg file ======== # radius.cfg - Niels van Sluis, <ni...@van-sluis.nl<mailto:ni...@van-sluis.nl>> # # Example Radiator configuration file. # # * retrieve mobile number from Directory Server. # * generate and send One-Time Password to mobile number. # * authenticate One-Time Password. LogDir /var/log/radius DbDir /etc/radiator # User a lower trace level in production systems: Trace 7 AuthPort 1812 AcctPort 1813 <Client 1.1.100.8> Secret REDACTED Identifier juni-sslvpn </Client> <AuthBy LDAP2> # Radiator talks to Microsoft AD. # Try to find mobile number only. Debug 255 Identifier SSLVPN_LDAP NoDefault Host 1.1.50.80 1.1.50.82 Port 3268 BaseDN AuthDN cn=SVC_REDACTED OU=REDACTED, DC=REDACTED, DC=REDACTED, DC=REDACTED AuthPassword REDACTED Timeout 2 UsernameAttr sAMAccountName PasswordAttr ServerChecksPassword HoldServerConnection FailureBackoffTime 0 # Get attribute that contains the mobile number. AuthAttrDef MobileNumber # We don't do authentication. Authentication is done by OTP. #NoCheckPassword # Some code to put the mobile number into memory, so it can be used # by OTP. PostSearchHook sub {\ use Radius::Context;\ my $user = $_[1];\ my $attr = ($_[4]->get('MobileNumber'))[0];\ my $context = &Radius::Context::get("otp:$user", 120);\ $context->{mobile_number} = $attr;\ } </AuthBy> <AuthBy OTP> # Authenticate based on One-Time Password sent to user by SMS. Identifier SSLVPN_OTP EAPType One-Time-Password,Generic-Token ChallengeHook sub {my ($self, $user, $p, $context) = @_;\ $context->{otp_password} = $self->generate_password();\ system('/etc/radiator/otp/sendsms.php', $user, $context->{mobile_number}, $context->{otp_password});\ return "Enter One-Time Password"; \ } </AuthBy> <AuthBy GROUP> Identifier Check-LDAP-and-OTP AuthByPolicy ContinueWhileAccept AuthBy SSLVPN_LDAP AuthBy SSLVPN_OTP </AuthBY> <Handler Client-Identifier = juni-sslvpn> RejectHasReason AuthBy Check-LDAP-and-OTP </Handler> ======== Cleaned log output ======== Sun Dec 20 20:55:03 2015: DEBUG: Packet dump: *** Received from 1.1.100.8 port 48711 .... Packet length = 60 01 f9 00 3c 44 f6 a0 c6 d9 45 84 6b 77 b0 3b bd 6f 7c a6 a6 01 0a 48 6f 6e 6e 6f 6c 64 4a 02 12 38 0e 00 f6 b2 17 6f 3b e0 62 22 b9 36 35 f7 bd 06 06 00 00 00 01 04 06 a7 64 64 08 Code: Access-Request Identifier: 249 Authentic: D<246><160><198><217>E<132>kw<176>;<189>o|<166><166> Attributes: User-Name = "ADUSER" User-Password = 8<14><0><246><178><23>o;<224>b"<185>65<247><189> Service-Type = Login-User NAS-IP-Address = 1.1.100.8 Sun Dec 20 20:55:03 2015: DEBUG: Handling request with Handler 'Client-Identifier = juni-sslvpn', Identifier '' Sun Dec 20 20:55:03 2015: DEBUG: Deleting session for ADUSER, 1.1.100.8, Sun Dec 20 20:55:03 2015: DEBUG: Handling with Radius::AuthGROUP: Check-LDAP-and-OTP Sun Dec 20 20:55:03 2015: DEBUG: Handling with Radius::AuthLDAP2: SSLVPN_LDAP Sun Dec 20 20:55:03 2015: INFO: Connecting to 1.1.50.80:3268 1.1.50.82:3268 Sun Dec 20 20:55:03 2015: INFO: Connected to 1.1.50.80:3268 Sun Dec 20 20:55:03 2015: INFO: Attempting to bind to LDAP server 1.1.50.80:3268 Sun Dec 20 20:55:03 2015: DEBUG: LDAP got result for CN=AD User,OU=REDACTED,OU=REDACTED,DC=REDACTED,DC=REDACTED,DC=REDACTED Sun Dec 20 20:55:03 2015: DEBUG: Radius::AuthLDAP2 looks for match with ADUSER [ADUSER] Sun Dec 20 20:55:03 2015: DEBUG: Radius::AuthLDAP2 ACCEPT: : ADUSER [ADUSER] Sun Dec 20 20:55:03 2015: DEBUG: Radius::AuthGROUP:Check-LDAP-and-OTP SSLVPN_LDAP result: ACCEPT, Sun Dec 20 20:55:03 2015: DEBUG: Handling with Radius::AuthOTP: SSLVPN_OTP Sun Dec 20 20:55:03 2015: DEBUG: Radius::AuthOTP looks for match with ADUSER [ADUSER] Sun Dec 20 20:55:03 2015: DEBUG: Radius::AuthOTP REJECT: OTP Authentication failed: (): ADUSER [ADUSER] Sun Dec 20 20:55:03 2015: DEBUG: Radius::AuthGROUP:Check-LDAP-and-OTP SSLVPN_OTP result: REJECT, OTP Authentication failed: () Sun Dec 20 20:55:03 2015: DEBUG: AuthBy GROUP result: REJECT, OTP Authentication failed: () Sun Dec 20 20:55:03 2015: INFO: Access rejected for ADUSER: OTP Authentication failed: () Sun Dec 20 20:55:03 2015: DEBUG: Packet dump: *** Sending to 1.1.100.8 port 48711 .... Packet length = 51 03 f9 00 33 67 f2 b5 1f 1c 13 63 fc 25 ff d3 79 a5 80 d7 c5 12 1f 4f 54 50 20 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 20 66 61 69 6c 65 64 3a 20 28 29 Code: Access-Reject Identifier: 249 Authentic: g<242><181><31><28><19>c<252>%<255><211>y<165><128><215><197> Attributes: Reply-Message = "OTP Authentication failed: ()"
_______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
