Pfsense FreeRadius3 multiotp
-
Hi All,
New to the community here.. excited to be a part of it! So I got multiotp up and working with free radius, as per the topic above. However whenever I try to authenticate using free radius I get error code 98 "98 ERROR: Authentication failed (wrong token length) " but however when I just do the auth directly
./multiotp user <authcode><pin> it works just fine and authenticates.
Any idea what could be going wrong. Any help would be greatly appreciated.
ps this is all being done to get radius gauth working with ikev2 ipsec.
-
I've only just seen it.
I have edited the post again in the other thread.
-Did you put the line for "freeradius.inc" in the right place (Restart)?
-The string "5dc0424b2e7922f3472a0f8429a80b12" is not allowed to contain certain characters.- Have you "ntlm_auth" in 1 line?:
freeradius.inc -> /usr/local/pkg/ add (After "with_ntdomain_hack = yes") ->ntlm_auth = "/usr/local/bin/multiotp/multiotp.php %{User-Name} %{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}"
Greetings
- Have you "ntlm_auth" in 1 line?:
-
Hi @Alitai thanks for your response, yes so in freeradius.inc it is all in one line, this the is how it is setup as of now:
mschap { # use_mppe = no # require_encryption = yes # require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/local/bin/multiotp/multiotp.php %{User-Name} %{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap 2-response=%{MS-CHAP2-Response}" # ntlm_auth_timeout = 10 # winbind_username = "%{mschap:User-Name}" # winbind_domain = "%{mschap:NT-Domain}" # winbind_retry_with_normalised_username = no pool { start = \${thread[pool].start_servers} min = \${thread[pool].min_spare_servers} max = \${thread[pool].max_servers} spare = \${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 86400 cleanup_interval = 300 idle_timeout = 600 } passchange { # ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1" # ntlm_auth_username = "username: %{mschap:User-Name}" # ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}" # local_cpw = "%{exec:/path/to/script %{mschap:User-Name} %{MS-CHAP-New-Cleartext-Password}}" # local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{SQL-User-Name}' and attribute='NT-Password'}" } # use_open_directory = yes # allow_retry = yes # retry_msg = "Re-enter (or reset) the password" }still getting error code 98. could it be something to do with the config in the mods-enabled - multiotpmschap, as it was just the copy of original mschap and has quite a few options disabled?? This is how that is setup for me:
mschap multiotpmschap { # use_mppe = no # require_encryption = yes # require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/local/bin/multiotp/multiotp.php %{User-Name} %{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap 2-response=%{MS-CHAP2-Response}" ntlm_auth_timeout = 10 # winbind_username = "%{mschap:User-Name}" # winbind_domain = "%{mschap:NT-Domain}" # winbind_retry_with_normalised_username = no pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 86400 cleanup_interval = 300 idle_timeout = 600 } passchange { # ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1" # ntlm_auth_username = "username: %{mschap:User-Name}" # ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}" # local_cpw = "%{exec:/path/to/script %{mschap:User-Name} %{MS-CHAP-New-Cleartext-Password}}" # local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{SQL-User-Name}' and attribute='NT-Password'}" } # use_open_directory = yes # allow_retry = yes # retry_msg = "Re-enter (or reset) the password" }Thanks for all your help!
Regards
-
You don't need "mschap multiotpmschap".
Step 1:
multiotp.php first line is wrong (#!/usr/bin/php -> #!/usr/local/bin/php).
multiotp.php -> /usr/local/bin/multiotp/Step 2:
chmod +x /usr/local/bin/multiotp/multiotp.php
Maybe change the Timezone:
./multiotp.php -config timezone=Europe/Zurich (Which is Standard)
./multiotp.php -create usernamehere tOTP 5dc0424b2e7922f3472a0f8429a80b12 1234 (this is a example)
You can create the string (5dc0424b2e7922f3472a0f8429a80b12) on your Pfsense
and you can just add the string (5dc0424b2e7922f3472a0f8429a80b12) in your app.Step 3:
freeradius.inc -> /usr/local/pkg/ add (After "with_ntdomain_hack = yes") ->ntlm_auth = "/usr/local/bin/multiotp/multiotp.php %{User-Name} %{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}"Step 4:
RestartStep 5:
Try to connect againEdit:
Error 98 = Authentication failed (wrong token length) -> 1234 + 6 digit Code form the app