Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Mobile clients with OTP

    Scheduled Pinned Locked Moved IPsec
    10 Posts 5 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pama
      last edited by

      Hi all,
      I have successfully configured my pfsense for IPsec mobile client with IKEv2 and local radius auth.
      I have set up two users, one with username and password, the other with username and OTP via Google Authenticator.
      The test login works like a charm for both of them.
      Strongswan client from Android can connect only with the user with password, while with OTP I can log only

      radiusd 14913 (4) Login incorrect (Failed retrieving values required to evaluate condition): [username] (from client local port 4 cli <IP>)

      What's wrong?
      Thanks
      Andrea

      1 Reply Last reply Reply Quote 0
      • N
        nica
        last edited by

        I came here to ask the exact same question.

        I'm afraid that it's not possible because the client won't send a password across in clear text, while the google authenticator script needs the pin + otp in the clear to be able to pass it on to the googleauth.py script.

        My linux client will log something like this:

        Jul 10 14:08:35 xps charon-nm: 16[IKE] server requested EAP_MD5 authentication (id 0x01)
        Jul 10 14:08:35 xps charon-nm: 16[ENC] generating IKE_AUTH request 3 [ EAP/RES/MD5 ]
        Jul 10 14:08:35 xps charon-nm: 16[NET] sending packet: from 192.168.122.1[49581] to 192.168.122.204[4500] (96 bytes)
        Jul 10 14:08:36 xps charon-nm: 10[NET] received packet: from 192.168.122.204[4500] to 192.168.122.1[49581] (80 bytes)
        Jul 10 14:08:36 xps charon-nm: 10[ENC] parsed IKE_AUTH response 3 [ EAP/FAIL ]
        

        On pfSense, it works fine with radtest, until you use eap-md5:

        radtest -t eap-md5 nils 1111905131 127.0.0.1 1234 psk
        

        Playing around with the EAP settings on the radius server causes my client to try some other methods, like EAP_MSCHAV2, but none of the ones I've tried seem to work.

        Perhaps someone else has had some success or can confirm my suspicions?

        1 Reply Last reply Reply Quote 0
        • A
          Alitai
          last edited by Alitai

          Hello Everyone

          I see the same "login incorrect" message.
          It's not working.

          @jimp Do you have any suggestions on this? Maybe Strongswan or/and Freeradius Ticket?

          Many Thanks

          Regards
          Alitai

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            If it is the exact same situation described in the first two posts, then there is nothing either of those projects can do. It's a fact of how EAP works by design for security.

            You'll need to investigate an alternate multi-factor auth method.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 1
            • A
              Alitai
              last edited by Alitai

              @jimp
              Jim you are awesome. Thanks!

              I just came across multiotp (https://github.com/multiOTP/multiotp/wiki).

              https://wiki.freeradius.org/guide/multiOTP-HOWTO

              Thanks again.

              Best Regards
              Alitai

              1 Reply Last reply Reply Quote 0
              • H
                Hobby-Student
                last edited by

                @jimp done:
                IKEv2 and freeradius with Google Authenticator

                as @Alitai stated: https://github.com/multiOTP/multiotp/wiki

                I'm just at the beginning, but it doesn't look that much work to include in freeradius3 package. For now, I'm doing everything by hand (creating user, qrcode, ...).

                Example:
                IPsec user is authenticated with freeradius. Username, PIN (unique per user) and Google Authenticator grant access. IP per user via "Pre-Shared Keys" (PSK will be ignored).

                What to do?
                Modifying freeradius3 package.
                Modifying multiotp.php slightly.
                Extending "Pre-Shared Keys" with OTP, so individual IPs can be used.

                Will try to make a github PR the next days...

                1 Reply Last reply Reply Quote 1
                • A
                  Alitai
                  last edited by Alitai

                  I'm also working on it.

                  Steps 1-7:
                  multiotp.php -> /usr/local/bin/multiotp/
                  multiotp -> /usr/local/etc/raddb/policy.d/
                  multiotp and multiotpmschap -> /usr/local/etc/raddb/mods-enabled/
                  default -> /usr/local/etc/raddb/sites-enabled/

                  At least "radiusd -X" worked after.

                  More is coming...

                  Edit:
                  multiotp.php first line is wrong (#!/usr/bin/php -> #!/usr/local/bin/php).

                  Edit2:
                  chmod +x /usr/local/bin/multiotp/multiotp.php
                  ./multiotp.php -create user tOTP 5dc0424b2e7922f3472a0f8429a80b12 1234 (this is a example)
                  You can create the string (5dc0424b2e7922f3472a0f8429a80b12) on your Pfsense
                  and you can just add the string (5dc0424b2e7922f3472a0f8429a80b12) in your app.

                  Edit3:
                  You need only those 2.
                  multiotp.php -> /usr/local/bin/multiotp/
                  freeradius.inc -> /usr/local/pkg/ add (After "with_ntdomain_hack = yes") -> ntlm_auth = "/usr/local/bin/multiotp/multiotp.php %{User-Name} %{User-Password}
                  -request-nt-key -src=%{Packet-Src-IP-Address}
                  -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password}
                  -ms-chap-challenge=%{MS-CHAP-Challenge}
                  -ms-chap-response=%{MS-CHAP-Response}
                  -ms-chap2-response=%{MS-CHAP2-Response}"

                  Now it works.

                  Edit4:
                  /etc/multiotp/ -> All Data you can find here
                  failure_delayed_time -> 300
                  max_block_failures -> 6
                  max_delayed_failures -> 3

                  Edit5:
                  Not recommended...
                  multiotp.ini -> /etc/multiotp/config/ change -> max_block_failures=-1
                  multiotp.php -> /usr/local/bin/multiotp/ change -> if ($this->GetUserErrorCounter() <= $this->GetMaxBlockFailures()) {

                  @Hobby-Student
                  The lookout after 6 wrong attempts could also be removed.
                  After 3 attempts 300 seconds and after 6 attempts 1 hour and so on instead of blocking the user.

                  Regards
                  Alitai

                  H 1 Reply Last reply Reply Quote 0
                  • H
                    Hobby-Student @Alitai
                    last edited by

                    @Alitai your modifications are right, but I think not complete.
                    My base is working and modified for pfSense filesystem layout. I'm searching some free time to make it work with the GUI and show the QR code on pfsense.

                    Will report back...

                    1 Reply Last reply Reply Quote 0
                    • A
                      Alitai
                      last edited by Alitai

                      Hi @Hobby-Student

                      What do you mean with not complete?

                      I found out, that you need to change the "ntlm_auth" here:
                      freeradius.inc

                      and the other things like the QR Code are not complete. I do it by hand.
                      So far it works.
                      All paths are for pfsense by the way.

                      Thanks for the answer.

                      Regards
                      Alitai

                      1 Reply Last reply Reply Quote 0
                      • A
                        Alitai
                        last edited by Alitai

                        Step 1:
                        multiotp.php first line is wrong (#!/usr/bin/php -> #!/usr/local/bin/php).
                        multiotp.php -> /usr/local/bin/multiotp/

                        Step 2:
                        chmod +x /usr/local/bin/multiotp/multiotp.php
                        Maybe change the Timezone:
                        ./multiotp.php -config timezone=Europe/Zurich (Which is Standard)
                        ./multiotp.php -create usernamehere tOTP 5dc0424b2e7922f3472a0f8429a80b12 1234 (this is a example)
                        You can create the string (5dc0424b2e7922f3472a0f8429a80b12) on your Pfsense
                        and you can just add the string (5dc0424b2e7922f3472a0f8429a80b12) in your app.

                        Step 3:
                        freeradius.inc -> /usr/local/pkg/ add (After "with_ntdomain_hack = yes") -> ntlm_auth = "/usr/local/bin/multiotp/multiotp.php %{User-Name} %{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}"

                        Step 4:
                        Restart

                        Step 5:
                        Not needed (other Infos)

                        /etc/multiotp/ -> All Data you can find here
                        failure_delayed_time -> 300
                        max_block_failures -> 6
                        max_delayed_failures -> 3

                        multiotp.ini -> /etc/multiotp/config/ change -> max_block_failures=-1
                        multiotp.php -> /usr/local/bin/multiotp/ change -> if ($this->GetUserErrorCounter() <= $this->GetMaxBlockFailures()) {

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.