Discussion:
FreeRADIUS, OpenLDAP password change and RSA SecurID Next-Token-Mode
michael böhm
2018-11-30 13:57:17 UTC
Permalink
Hello everyone

we are successfully using FreeRADIUS for some time now. Now we have two more requirements:

1) Password change in OpenLDAP via FreeRADIUS

FreeRADIUS is connected to an OpenLDAP via the LDAP-module.

We also have Cisco-Devices connected to a tac_plus-Server (http://www.pro-bono-publico.de/projects/tac_plus.html) also using OpenLDAP as backend. In this setup the users can change their LDAP-password via the router's login-prompt after successful authentication with the old password.

Can we implement password changes with FreeRADIUS as well when the NAS supports this or is this a TACACS+-only feature?

2) Next-Token-Mode for RSA SecurID

We are using Two-Factor-Authentication with FreeRADIUS and RSA SecurID. FreeRADIUS / unlang splits the password string in two parts and is sending the last 6 digits as Token to the RSA SecurID Server via Radius for validation. This works fine. However, in rare conditions a re-sync of the Token-device may be necessary so that the RSA SecurID Server is prompting for the next Token. Access-Challenges are used in this case.

Is there a way to handle this in FreeRADIUS?

It would be great if you could point me in the right direction for both use cases and tell me what modules or unlang-statements we could try out to solve this.

Thanks and best wishes

Michael
-
List info/subscribe/unsubscribe? See http:
Alan DeKok
2018-11-30 14:51:20 UTC
Permalink
Post by michael böhm
1) Password change in OpenLDAP via FreeRADIUS
...
Can we implement password changes with FreeRADIUS as well when the NAS supports this or is this a TACACS+-only feature?
It's only TACACS+.

The good news is that v4 should have a TACACS+ front end. It was working a few months ago, and then we did some rearchitecture. So it doesn't work today. But it's likely only a few days to get it working again.
Post by michael böhm
2) Next-Token-Mode for RSA SecurID
We are using Two-Factor-Authentication with FreeRADIUS and RSA SecurID. FreeRADIUS / unlang splits the password string in two parts and is sending the last 6 digits as Token to the RSA SecurID Server via Radius for validation. This works fine. However, in rare conditions a re-sync of the Token-device may be necessary so that the RSA SecurID Server is prompting for the next Token. Access-Challenges are used in this case.
Is there a way to handle this in FreeRADIUS?
Sure. There's an rlm_securid module in the server. That should work.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
michael böhm
2018-11-30 15:24:39 UTC
Permalink
Hi Alan,

thanks for your reply.

Does "TACACS+ frontend" mean that the NAS has to speak TACACS+? We have
some that are Radius-only.

I did not find the rlm_securid-module in my installation. Do I have to
compile it myself? Is there a documentation somewhere? Does the module
use the proprietary protocol from RSA or Radius?

Thank you and best wishes

Michael

Gesendet: Freitag, 30. November 2018 um 15:51 Uhr
Von: "Alan DeKok" <***@deployingradius.com>
An: "FreeRadius users mailing list"
<freeradius-***@lists.freeradius.org>
Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID
Next-Token-Mode
Post by michael böhm
1) Password change in OpenLDAP via FreeRADIUS
...
Can we implement password changes with FreeRADIUS as well when the
NAS supports this or is this a TACACS+-only feature?
It's only TACACS+.
The good news is that v4 should have a TACACS+ front end. It was
working a few months ago, and then we did some rearchitecture. So it
doesn't work today. But it's likely only a few days to get it working
again.
Post by michael böhm
2) Next-Token-Mode for RSA SecurID
We are using Two-Factor-Authentication with FreeRADIUS and RSA
SecurID. FreeRADIUS / unlang splits the password string in two parts
and is sending the last 6 digits as Token to the RSA SecurID Server via
Radius for validation. This works fine. However, in rare conditions a
re-sync of the Token-device may be necessary so that the RSA SecurID
Server is prompting for the next Token. Access-Challenges are used in
this case.
Post by michael böhm
Is there a way to handle this in FreeRADIUS?
Sure. There's an rlm_securid module in the server. That should work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
[1]http://www.freeradius.org/list/users.html

References

1. http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freer
Alan DeKok
2018-11-30 15:26:33 UTC
Permalink
Post by michael böhm
Does "TACACS+ frontend" mean that the NAS has to speak TACACS+? We have
some that are Radius-only.
It means that *FreeRADIUS* can do TACACS+.
Post by michael böhm
I did not find the rlm_securid-module in my installation.
It isn't included with any pre-built packages.
Post by michael böhm
Do I have to
compile it myself?
Yes.
Post by michael böhm
Is there a documentation somewhere? Does the module
use the proprietary protocol from RSA or Radius?
It links to the SecurID libraries. It's documented in src/modules/rlm_securid/ in the source tree.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.
michael böhm
2018-12-03 13:00:56 UTC
Permalink
Hi Alan

we've decided to use the Radius-interface of the SecurID-server and not
the proprietary protocol.

Now I need unlang to make the access decision:

LDAP-Plugin (accept) AND Proxy-Request to SecurID-Server (accept) =
ACCEPT to NAS

I tried it like that in the authorize-section but it did not work:

filter_username
preprocess

# %{1} = ldap-password
# %{2} = Token

if (User-Password =~ /^(.+)([0-9]{6})$/) {
update request {
User-Password := "%{2}"
}
update control {
Proxy-To-Realm := "securid"
}

update request {
User-Password := "%{1}"
}

ldap
}

pap

The proxying itself is working fine but not the correlation of the two
results.

Could you please give me a minimal example of how to create this
and-logic in unlang?

Thanks and best wishes

Michael

Gesendet: Freitag, 30. November 2018 um 16:26 Uhr
Von: "Alan DeKok" <***@deployingradius.com>
An: "FreeRadius users mailing list"
<freeradius-***@lists.freeradius.org>
Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID
Next-Token-Mode
Post by michael böhm
Does "TACACS+ frontend" mean that the NAS has to speak TACACS+? We have
some that are Radius-only.
It means that *FreeRADIUS* can do TACACS+.
Post by michael böhm
I did not find the rlm_securid-module in my installation.
It isn't included with any pre-built packages.
Post by michael böhm
Do I have to
compile it myself?
Yes.
Post by michael böhm
Is there a documentation somewhere? Does the module
use the proprietary protocol from RSA or Radius?
It links to the SecurID libraries. It's documented in
src/modules/rlm_securid/ in the source tree.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
[1]http://www.freeradius.org/list/users.html

References

1. http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freerad
Alan DeKok
2018-12-03 13:11:59 UTC
Permalink
Post by michael böhm
we've decided to use the Radius-interface of the SecurID-server and not
the proprietary protocol.
OK.
Post by michael böhm
LDAP-Plugin (accept) AND Proxy-Request to SecurID-Server (accept) =
ACCEPT to NAS
See the FAQ for "it doesn't work".
Post by michael böhm
filter_username
preprocess
# %{1} = ldap-password
# %{2} = Token
if (User-Password =~ /^(.+)([0-9]{6})$/) {
update request {
User-Password := "%{2}"
}
update control {
Proxy-To-Realm := "securid"
}
update request {
User-Password := "%{1}"
}
ldap
}
pap
The proxying itself is working fine but not the correlation of the two
results.
What does that mean?
Post by michael böhm
Could you please give me a minimal example of how to create this
and-logic in unlang?
My $0.02 is to check the users password *first*, and then proxy to RSA if it passed.


if (User-Password =~ /^(.+)([0-9]{6})$/) {
update request {
User-Password := "%{2}"
}

# get the "known good" password from LDAP
ldap

# check the users password
# if this fails, the user will be automatically rejected
pap.authenticate

update control {
Proxy-To-Realm := "securid"
}

update request {
User-Password := "%{1}"
}
}
else {
... do stuff for non-RSA users ...
}

Alan DeKok.


-
List info/subscribe/uns
michael böhm
2018-12-03 14:37:32 UTC
Permalink
Hi Alan,

with your hints I managed to get this running:

# Case 1: No script-user -> 2FA
if(User-Name !~ /^sc_.+$/) {
# Case 1.1: LDAP-PW + Token
if(User-Password =~ /^(.+)([0-9]{6})$/) {
update request {
User-Password := "%{1}"
}
ldap
files
pap
pap.authenticate
update request {
User-Password := "%{2}"
}
update control {
Proxy-To-Realm := "securid"
}
}
# Case 1.2: Just a Token, no LDAP-PW, Next-Token-Mode
elsif(State && User-Password =~ /^([0-9]{6})$/) {
update control {
Proxy-To-Realm := "securid"
}
}
}
# Case 2: script-user
else {
ldap
files
pap
}


I get the error in freeradius -X:

(2) Found Auth-Type = PAP
(2) Found Auth-Type = Accept
(2) ERROR: Warning: Found 2 auth-types on request for user '<user>'

Can I ignore this?

Only one more problem is to solve:

In post-auth we have a Perl-script that relies on the groups that come
from LDAP to make user rights decisions. When we are in Next-Token-Mode
(case 1.2) we do not query LDAP, so freeradius cannot pass the groups
to the Perl script.

Is there a way to tell freeradius to cache the LDAP-groups from the
last request for case 1.1 and use them in 1.2? If there is no easy way
I would delete Case 1.2 and tell the user to type in the LDAP-password
again followed by the next Token.

Thanks and best wishes

Michael

Gesendet: Montag, 03. Dezember 2018 um 14:11 Uhr
Von: "Alan DeKok" <***@deployingradius.com>
An: "FreeRadius users mailing list"
<freeradius-***@lists.freeradius.org>
Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID
Next-Token-Mode
Post by michael böhm
we've decided to use the Radius-interface of the SecurID-server and not
the proprietary protocol.
OK.
Post by michael böhm
LDAP-Plugin (accept) AND Proxy-Request to SecurID-Server (accept) =
ACCEPT to NAS
See the FAQ for "it doesn't work".
Post by michael böhm
filter_username
preprocess
# %{1} = ldap-password
# %{2} = Token
if (User-Password =~ /^(.+)([0-9]{6})$/) {
update request {
User-Password := "%{2}"
}
update control {
Proxy-To-Realm := "securid"
}
update request {
User-Password := "%{1}"
}
ldap
}
pap
The proxying itself is working fine but not the correlation of the two
results.
What does that mean?
Post by michael böhm
Could you please give me a minimal example of how to create this
and-logic in unlang?
My $0.02 is to check the users password *first*, and then proxy to RSA
if it passed.
if (User-Password =~ /^(.+)([0-9]{6})$/) {
update request {
User-Password := "%{2}"
}
# get the "known good" password from LDAP
ldap
# check the users password
# if this fails, the user will be automatically rejected
pap.authenticate
update control {
Proxy-To-Realm := "securid"
}
update request {
User-Password := "%{1}"
}
}
else {
... do stuff for non-RSA users ...
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See
[1]http://www.freeradius.org/list/users.html

References

1. http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users
Alan DeKok
2018-12-03 18:43:38 UTC
Permalink
That's good.
Post by michael böhm
(2) Found Auth-Type = PAP
(2) Found Auth-Type = Accept
(2) ERROR: Warning: Found 2 auth-types on request for user '<user>'
Can I ignore this?
Yes. If you upgrade to 3.0.17, the message will go away.
Post by michael böhm
In post-auth we have a Perl-script that relies on the groups that come
from LDAP to make user rights decisions. When we are in Next-Token-Mode
(case 1.2) we do not query LDAP, so freeradius cannot pass the groups
to the Perl script.
OK.
Post by michael böhm
Is there a way to tell freeradius to cache the LDAP-groups from the
last request for case 1.1 and use them in 1.2?
You can cache LDAP groups in the session-state list. But they're only cached for a series of challenge/ response packets.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org
michael böhm
2018-12-04 12:37:08 UTC
Permalink
Hi Alan,

this seems to do exactly what we want:

# In any case: check the LDAP and local user-file first

ldap
files
# Case 1: No script-user -> 2FA
if(User-Name !~ /^sc_.+$/) {
# Case 1.1: LDAP-PW + Token
if(User-Password =~ /^(.+)([0-9]{6})$/) {
# LDAP-password in %{1}
# Token in %{2}
update request {
User-Password := "%{1}"
}
# Check password and reject if incorrect
pap
pap.authenticate
update request {
User-Password := "%{2}"
}
# Proxy the request to the SecurID-server
update control {
Proxy-To-Realm := "securid"
}
}
# Case 1.2: Just a Token, no LDAP-PW, Next-Token-Mode
elsif(State && User-Password =~ /^([0-9]{6})$/) {
update control {
Proxy-To-Realm := "securid"
}
}
}
# Case 2: script-user
else {
pap
}

Is my elsif(State ...)-statement a robust way to check if this packet
belongs to a challenge-response of this exact user? I want to avoid
situations where a user might be able to authenticate with just a Token
and no password.

We are testing the configuration now. Thank you very much for your
help!

I'll check back in a few weeks regarding the password change / TACACS+
feature I asked for in my initial mail. For the moment we'll do the
password changes via a web-interface for the LDAP which is fine.

Best wishes

Michael

Gesendet: Montag, 03. Dezember 2018 um 19:43 Uhr
Von: "Alan DeKok" <***@deployingradius.com>
An: "FreeRadius users mailing list"
<freeradius-***@lists.freeradius.org>
Betreff: Re: FreeRADIUS, OpenLDAP password change and RSA SecurID
Next-Token-Mode
That's good.
Post by michael böhm
(2) Found Auth-Type = PAP
(2) Found Auth-Type = Accept
(2) ERROR: Warning: Found 2 auth-types on request for user '<user>'
Can I ignore this?
Yes. If you upgrade to 3.0.17, the message will go away.
Post by michael böhm
In post-auth we have a Perl-script that relies on the groups that come
from LDAP to make user rights decisions. When we are in
Next-Token-Mode
Post by michael böhm
(case 1.2) we do not query LDAP, so freeradius cannot pass the groups
to the Perl script.
OK.
Post by michael böhm
Is there a way to tell freeradius to cache the LDAP-groups from the
last request for case 1.1 and use them in 1.2?
You can cache LDAP groups in the session-state list. But they're only
cached for a series of challenge/ response packets.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
[1]http://www.freeradius.org/list/users.html

References

1. http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscr
Alan DeKok
2018-12-04 12:43:04 UTC
Permalink
Post by michael böhm
Is my elsif(State ...)-statement a robust way to check if this packet
belongs to a challenge-response of this exact user?
It's:

a) the user specified in the User-Name, and

b) a response to a previous Access-Challenge.
Post by michael böhm
I want to avoid
situations where a user might be able to authenticate with just a Token
and no password.
Unless the user controls the RADIUS client, they can't generate an Access-Request that contains a State attribute.
Post by michael böhm
We are testing the configuration now. Thank you very much for your
help!
You're welcome.

Alan DeKok.


-
List info/subscribe/unsubscribe? Se

Loading...