Selasa, 31 Mei 2011

How To Use FreeRADIUS With LinOTP 2 To Do Two Factor Authentication With One Time Passwords

This howto will guide you to set up RADIUS authentication with the LinOTP 2 Community Edition. LinOTP is a one time password backend that enables you to do two factor authentication with a broad variety of different hardware devices, software tokens and SMS.

While the Enterprise Edition comes with a C module for the FreeRADIUS Server, the Community Edition, that is licensed under the AGPLv3 does not. Nevertheless, LinOTP provides very simple WEB APIs that makes it easy to talk to LinOTP in many different ways. There is also an API to do authentication, i.e. to ask the LinOTP server if a given one time password for a certain user is valid. This is the URL

https://yourServer/validate/check?user=....&pass=....

or 

https://yourServer/validate/simplecheck?user=...&pass=...

You can take a look at the complete API here.

The simple LinOTP API and some nice module of the FreeRADIUS make it easy to hack a simple solution for OTP via RADIUS. You could use the module rlm_exec to execute an external program but I'd rather use the module rlm_perl and add my limited perl knowlege ;-)

The documentation of the rlm_perl module can be found here. It has a simple example, that we need to adapt only in the function authenticate. This is the point, where we need to talk to the LinOTP server (with the above URL) and repond according the the LinOTP feedback.

So the perl module in a pre-beta ;-) will look like this:

##  This program is free software; you can redistribute it and/or modify#  it under the terms of the GNU General Public License as published by#  the Free Software Foundation; either version 2 of the License, or#  (at your option) any later version.##  This program is distributed in the hope that it will be useful,#  but WITHOUT ANY WARRANTY; without even the implied warranty of#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the#  GNU General Public License for more details.##  You should have received a copy of the GNU General Public License#  along with this program; if not, write to the Free Software#  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA##  Copyright 2002  The FreeRADIUS server project#  Copyright 2002  Boian Jordanov #  Copyright 2011  linotp project ## Based on the Example code for use with rlm_perl##=head1 NAMEfreeradius_perl - Perl module for use with FreeRADIUS rlm_perl, to authenticate against  LinOTP  http://www.linotp.org=head1 SYNOPSIS   use with freeradius:        Configure rlm_perl to work with LinOTP:   in /etc/freeradius/users     set:     DEFAULT Auth-type := perl  in /etc/freeradius/modules/perl     point     perl {         module =   to this file  in /etc/freeradius/sites-enabled/  set  authenticate{    perl    [....]=head1 DESCRIPTIONThis module enables freeradius to authenticate using LinOTP.   TODO:      * checking of server certificate=head2 Methods   * authenticate=head1 AUTHORCornelius Koelbel (cornelius.koelbel@lsexperts.de)=head1 COPYRIGHTCopyright 2011 This library is free software; you can redistribute it under the GPLv2.=head1 SEE ALSOperl(1).=cutuse strict;use LWP 5.64;# use ...# This is very important ! Without this script will not get the filled  hashesh from main.use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK $URL);use Data::Dumper;$URL = "https://localhost/validate/simplecheck";# This is hash wich hold original request from radius#my %RAD_REQUEST;# In this hash you add values that will be returned to NAS.#my %RAD_REPLY;#This is for check items#my %RAD_CHECK;## This the remapping of return values#       use constant    RLM_MODULE_REJECT=>    0;#  /* immediately reject the request */       use constant    RLM_MODULE_FAIL=>      1;#  /* module failed, don't reply */       use constant    RLM_MODULE_OK=>        2;#  /* the module is OK, continue */       use constant    RLM_MODULE_HANDLED=>   3;#  /* the module handled the request, so stop. */       use constant    RLM_MODULE_INVALID=>   4;#  /* the module considers the request invalid. */       use constant    RLM_MODULE_USERLOCK=>  5;#  /* reject the request (user is locked out) */       use constant    RLM_MODULE_NOTFOUND=>  6;#  /* user not found */       use constant    RLM_MODULE_NOOP=>      7;#  /* module succeeded without doing anything */       use constant    RLM_MODULE_UPDATED=>   8;#  /* OK (pairs modified) */       use constant    RLM_MODULE_NUMCODES=>  9;#  /* How many return codes there are */# Function to handle authorizesub authorize {       # For debugging purposes only#       &log_request_attributes;       # Here's where your authorization code comes       # You can call another function from here:       &test_call;       return RLM_MODULE_OK;}# Function to handle authenticatesub authenticate {       # For debugging purposes only#       &log_request_attributes;        my $ua = LWP::UserAgent->new();    my $req = HTTP::Request->new(GET => $URL . "?user=" .        $RAD_REQUEST{'User-Name'} . "&pass=" .         $RAD_REQUEST{'User-Password'} );    my $response = $ua->request( $req );    die "Error at $URL\n ", $response->status_line, "\n Aborting"      unless $response->is_success;          if($response->content =~ m/:\-\)/i) {               return RLM_MODULE_OK;      } else {        $RAD_REPLY{'Reply-Message'} = "LinOTP server denied access!";               return RLM_MODULE_REJECT;    }}# Function to handle preacctsub preacct {       # For debugging purposes only#       &log_request_attributes;       return RLM_MODULE_OK;}# Function to handle accountingsub accounting {       # For debugging purposes only#       &log_request_attributes;       # You can call another subroutine from here       &test_call;       return RLM_MODULE_OK;}# Function to handle checksimulsub checksimul {       # For debugging purposes only#       &log_request_attributes;       return RLM_MODULE_OK;}# Function to handle pre_proxysub pre_proxy {       # For debugging purposes only#       &log_request_attributes;       return RLM_MODULE_OK;}# Function to handle post_proxysub post_proxy {       # For debugging purposes only#       &log_request_attributes;       return RLM_MODULE_OK;}# Function to handle post_authsub post_auth {       # For debugging purposes only#       &log_request_attributes;       return RLM_MODULE_OK;}# Function to handle xlatsub xlat {       # For debugging purposes only#       &log_request_attributes;       # Loads some external perl and evaluate it       my ($filename,$a,$b,$c,$d) = @_;       &radiusd::radlog(1, "From xlat $filename ");       &radiusd::radlog(1,"From xlat $a $b $c $d ");       local *FH;       open FH, $filename or die "open '$filename' $!";       local($/) = undef;       my $sub = ;       close FH;       my $eval = qq{ sub handler{ $sub;} };       eval $eval;       eval {main->handler;};}# Function to handle detachsub detach {       # For debugging purposes only#       &log_request_attributes;       # Do some logging.       &radiusd::radlog(0,"rlm_perl::Detaching. Reloading. Done.");} ## Some functions that can be called from other functions#sub test_call {       # Some code goes here}sub log_request_attributes {       # This shouldn't be done in production environments!       # This is only meant for debugging!       for (keys %RAD_REQUEST) {               &radiusd::radlog(1, "RAD_REQUEST: $_ = $RAD_REQUEST{$_}");       }}1;

You will need to configure some FreeRADIUS files and also adapt the $URL in the  perl module itself.

Please note, that this is an easy and simple way, to get RADIUS running. There are some things missing, error handling logging would be nice, what about redundancy, the SSL certificate is not checked!

Nevertheless it shows how easy it is to integrate LinOTP into your environment using its simple API.



View the original article here

Diposting oleh di
Label: , , , ,

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)