multiotp and freeradius 3

ivnivn
edited July 2018 in General
Hi! I'm trying to configure multiotp with freeradius 3 on centos 7. I'm testing pptp connection to my Mikrotik and it sends auth requests to my centos machine. Multiotp seems to be working fine. I can login to web gui and create or import users from AD. But I cannot connect pptp. I can see several errors in radiusd -X: (0) multiotp: ERROR: Failed parsing output from: /usr/local/bin/multiotp/multiotp.php %{User-Name} %{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}: Expecting operator (0) multiotp: ERROR: Program returned code (0) and output 'Filter-Id += "VPN",NT_KEY: 1111111111111111'

Comments

  • ivnivn
    edited July 2018
    Here are some more detailed logs from freeradius: https://pastebin.com/7whwAAVV And here is my multiotp config: https://pastebin.com/JrQaTvxZ Can somebody help please?
  • Hello, Could you please provide us the configuration you have done in FreeRADIUS ? Regards,
  • Did you change the ntlm_auth variable also, as desribed in the readme ? https://wiki.freeradius.org/guide/multiOTP-HOWTO
  • ivnivn
    edited July 2018
    Yes, I have changed that variable. Here are all my config files. /etc/raddb/mods-available/multiotp: https://pastebin.com/BJ13ywRg /etc/raddb/mods-available/multiotpmschap: https://pastebin.com/PTicWUCu /etc/raddb/sites-available/default: https://pastebin.com/SJzDde4j /etc/raddb/policy.d/multiotp: https://pastebin.com/Ruzg7bav Thanks!
  • Hello, our radius specialist in on holliday and will take car of this when he gets back in two weeks. Have a good week-end
  • Hi! I have some progress here. I have changed "program" line in multiotp module to: program = "/usr/local/bin/multiotp/multiotp.php %{User-Name} %{User-Password} --request-nt-key --src=%{Packet-Src-IP-Address} --chap-challenge=%{CHAP-Challenge} --chap-password=%{CHAP-Password} --ms-chap-challenge=%{MS-CHAP-Challenge} --ms-chap-response=%{MS-CHAP-Response} --ms-chap2-response=%{MS-CHAP2-Response}" So just added double dashes and that error is gone. But now I can see a new error in Radiusd -X: (0) multiotp: ERROR: Program returned code (98) and output 'Reply-Message := "ERROR: Authentication failed (wrong token length)" ' (0) multiotp: ERROR: Program returned invalid code (greater than max rcode) (98 > 9): I'm using just 6 digits otp as my password. I can successfully check my user with its otp in multiotp web interface. What could be the problem?
  • Sorry, figured it out myself. My mistake. I did not enable pap in windows vpn connection propeties. After that it works. Also there is no need in double dashes as I wrote in my previous comment. And also it didn't work with multiotp policy from your guide for freeradius 3. I had this ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject I had to use this policy: multiotp.authorize { if (!control:Auth-Type) { update control { Auth-Type := multiotp } } }
  • Thanks for the reply.
This discussion has been closed.