Mobile clients with OTP

pama

Hi all,
I have successfully configured my pfsense for IPsec mobile client with IKEv2 and local radius auth.
I have set up two users, one with username and password, the other with username and OTP via Google Authenticator.
The test login works like a charm for both of them.
Strongswan client from Android can connect only with the user with password, while with OTP I can log only

radiusd 14913 (4) Login incorrect (Failed retrieving values required to evaluate condition): [username] (from client local port 4 cli <IP>)

What's wrong?
Thanks
Andrea

nica

I came here to ask the exact same question.

I'm afraid that it's not possible because the client won't send a password across in clear text, while the google authenticator script needs the pin + otp in the clear to be able to pass it on to the googleauth.py script.

My linux client will log something like this:

Jul 10 14:08:35 xps charon-nm: 16[IKE] server requested EAP_MD5 authentication (id 0x01)
Jul 10 14:08:35 xps charon-nm: 16[ENC] generating IKE_AUTH request 3 [ EAP/RES/MD5 ]
Jul 10 14:08:35 xps charon-nm: 16[NET] sending packet: from 192.168.122.1[49581] to 192.168.122.204[4500] (96 bytes)
Jul 10 14:08:36 xps charon-nm: 10[NET] received packet: from 192.168.122.204[4500] to 192.168.122.1[49581] (80 bytes)
Jul 10 14:08:36 xps charon-nm: 10[ENC] parsed IKE_AUTH response 3 [ EAP/FAIL ]

On pfSense, it works fine with radtest, until you use eap-md5:

radtest -t eap-md5 nils 1111905131 127.0.0.1 1234 psk

Playing around with the EAP settings on the radius server causes my client to try some other methods, like EAP_MSCHAV2, but none of the ones I've tried seem to work.

Perhaps someone else has had some success or can confirm my suspicions?

Alitai

Hello Everyone

I see the same "login incorrect" message.
It's not working.

@jimp Do you have any suggestions on this? Maybe Strongswan or/and Freeradius Ticket?

Many Thanks

Regards
Alitai

jimp

If it is the exact same situation described in the first two posts, then there is nothing either of those projects can do. It's a fact of how EAP works by design for security.

You'll need to investigate an alternate multi-factor auth method.

Alitai

@jimp
Jim you are awesome. Thanks!

I just came across multiotp (https://github.com/multiOTP/multiotp/wiki).

https://wiki.freeradius.org/guide/multiOTP-HOWTO

Thanks again.

Best Regards
Alitai

Hobby-Student

@jimp done:
IKEv2 and freeradius with Google Authenticator

as @Alitai stated: https://github.com/multiOTP/multiotp/wiki

I'm just at the beginning, but it doesn't look that much work to include in freeradius3 package. For now, I'm doing everything by hand (creating user, qrcode, ...).

Example:
IPsec user is authenticated with freeradius. Username, PIN (unique per user) and Google Authenticator grant access. IP per user via "Pre-Shared Keys" (PSK will be ignored).

What to do?
Modifying freeradius3 package.
Modifying multiotp.php slightly.
Extending "Pre-Shared Keys" with OTP, so individual IPs can be used.

Will try to make a github PR the next days...

Alitai

I'm also working on it.

Steps 1-7:
multiotp.php -> /usr/local/bin/multiotp/
multiotp -> /usr/local/etc/raddb/policy.d/
multiotp and multiotpmschap -> /usr/local/etc/raddb/mods-enabled/
default -> /usr/local/etc/raddb/sites-enabled/

At least "radiusd -X" worked after.

More is coming...

Edit:
multiotp.php first line is wrong (#!/usr/bin/php -> #!/usr/local/bin/php).

Edit2:
chmod +x /usr/local/bin/multiotp/multiotp.php
./multiotp.php -create user tOTP 5dc0424b2e7922f3472a0f8429a80b12 1234 (this is a example)
You can create the string (5dc0424b2e7922f3472a0f8429a80b12) on your Pfsense
and you can just add the string (5dc0424b2e7922f3472a0f8429a80b12) in your app.

Edit3:
You need only those 2.
multiotp.php -> /usr/local/bin/multiotp/
freeradius.inc -> /usr/local/pkg/ add (After "with_ntdomain_hack = yes") -> ntlm_auth = "/usr/local/bin/multiotp/multiotp.php %{User-Name} %{User-Password}
-request-nt-key -src=%{Packet-Src-IP-Address}
-chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password}
-ms-chap-challenge=%{MS-CHAP-Challenge}
-ms-chap-response=%{MS-CHAP-Response}
-ms-chap2-response=%{MS-CHAP2-Response}"

Now it works.

Edit4:
/etc/multiotp/ -> All Data you can find here
failure_delayed_time -> 300
max_block_failures -> 6
max_delayed_failures -> 3

Edit5:
Not recommended...
multiotp.ini -> /etc/multiotp/config/ change -> max_block_failures=-1
multiotp.php -> /usr/local/bin/multiotp/ change -> if ($this->GetUserErrorCounter() <= $this->GetMaxBlockFailures()) {

@Hobby-Student
The lookout after 6 wrong attempts could also be removed.
After 3 attempts 300 seconds and after 6 attempts 1 hour and so on instead of blocking the user.

Regards
Alitai

Hobby-Student

@Alitai your modifications are right, but I think not complete.
My base is working and modified for pfSense filesystem layout. I'm searching some free time to make it work with the GUI and show the QR code on pfsense.

Will report back...

Alitai

Hi @Hobby-Student

What do you mean with not complete?

I found out, that you need to change the "ntlm_auth" here:
freeradius.inc

and the other things like the QR Code are not complete. I do it by hand.
So far it works.
All paths are for pfsense by the way.

Thanks for the answer.

Regards
Alitai

Alitai

Step 1:
multiotp.php first line is wrong (#!/usr/bin/php -> #!/usr/local/bin/php).
multiotp.php -> /usr/local/bin/multiotp/

Step 2:
chmod +x /usr/local/bin/multiotp/multiotp.php
Maybe change the Timezone:
./multiotp.php -config timezone=Europe/Zurich (Which is Standard)
./multiotp.php -create usernamehere tOTP 5dc0424b2e7922f3472a0f8429a80b12 1234 (this is a example)
You can create the string (5dc0424b2e7922f3472a0f8429a80b12) on your Pfsense
and you can just add the string (5dc0424b2e7922f3472a0f8429a80b12) in your app.

Step 3:
freeradius.inc -> /usr/local/pkg/ add (After "with_ntdomain_hack = yes") -> ntlm_auth = "/usr/local/bin/multiotp/multiotp.php %{User-Name} %{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}"

Step 4:
Restart

Step 5:
Not needed (other Infos)

/etc/multiotp/ -> All Data you can find here
failure_delayed_time -> 300
max_block_failures -> 6
max_delayed_failures -> 3

multiotp.ini -> /etc/multiotp/config/ change -> max_block_failures=-1
multiotp.php -> /usr/local/bin/multiotp/ change -> if ($this->GetUserErrorCounter() <= $this->GetMaxBlockFailures()) {