MultiOTP + FreeRADIUS + MS Active Directory

MultiOTP + FreeRADIUS + MS Active Directory

我正在运行 CentOS 6.6 64 位服务器,并从基础存储库安装了 FreeRADIUS 2.1.12。此外,我还使用 MultiOTP (http://www.multiotp.net/) 配置为连接到我们的 Windows 2012 R2 服务器。

MultiOTP 版本为 4.3.1.1,对于配置 FreeRADIUS,我使用了本指南:http://wiki.freeradius.org/guide/multiOTP-HOWTO

我找不到有关旧版 FreeRADIUS 的任何信息,但至少使用 PAP 似乎可行:

radtest -t pap -x myusername mypasswordandtoken localhost 1812 sharedsecret
Sending Access-Request of id 95 to 127.0.0.1 port 1812
    User-Name = "myusername"
    User-Password = "mypasswordandtoken"
    NAS-IP-Address = 127.0.0.1
    NAS-Port = 1812
    Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=95, length=20

输出radiusd -X如下所示:

[suffix] No '@' in User-Name = "myusername", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++? if (control:Auth-Type == 'MS-CHAP')
    (Attribute control:Auth-Type was not found)
? Evaluating (control:Auth-Type == 'MS-CHAP') -> FALSE
++? if (control:Auth-Type == 'MS-CHAP') -> FALSE
++- entering else else {...}
+++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> TRUE
+++? if (!control:Auth-Type) -> TRUE
+++- entering if (!control:Auth-Type) {...}
++++[control] returns noop
+++- if (!control:Auth-Type) returns noop
++- else else returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = multiotp
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group multiotp {...}
[multiotp]  expand: '%{User-Name}' -> 'myusername'
[multiotp]  expand: '%{User-Password}' -> 'mypasswordandtoken'
[multiotp]  expand: -src=%{Packet-Src-IP-Address} -> -src=127.0.0.1
[multiotp]  expand: -chap-challenge=%{CHAP-Challenge} -> -chap-challenge=
[multiotp]  expand: -chap-password=%{CHAP-Password} -> -chap-password=
[multiotp]  expand: -ms-chap-challenge=%{MS-CHAP-Challenge} -> -ms-chap-challenge=
[multiotp]  expand: -ms-chap-response=%{MS-CHAP-Response} -> -ms-chap-response=
[multiotp]  expand: -ms-chap2-response=%{MS-CHAP2-Response} -> -ms-chap2-response=
Exec-Program output:
Exec-Program: returned: 0
++[multiotp] returns ok

运行 radtest-t mschap不起作用,Radius 输出如下:

[suffix] No '@' in User-Name = "myusername", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++? if (control:Auth-Type == 'MS-CHAP')
? Evaluating (control:Auth-Type == 'MS-CHAP') -> TRUE
++? if (control:Auth-Type == 'MS-CHAP') -> TRUE
++- entering if (control:Auth-Type == 'MS-CHAP') {...}
+++[control] returns noop
++- if (control:Auth-Type == 'MS-CHAP') returns noop
++ ... skipping else for request 1: Preceding "if" was taken
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = multiotpmschap
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group multiotpmschap {...}
[multiotpmschap] Told to do MS-CHAPv1 with NT-Password
[multiotpmschap]    expand: %{User-Name} -> myusername
[multiotpmschap]    expand: %{User-Password} -> 
[multiotpmschap]    expand: -src=%{Packet-Src-IP-Address} -> -src=127.0.0.1
[multiotpmschap]    expand: -chap-challenge=%{CHAP-Challenge} -> -chap-challenge=
[multiotpmschap]    expand: -chap-password=%{CHAP-Password} -> -chap-password=
[multiotpmschap]    expand: -ms-chap-challenge=%{MS-CHAP-Challenge} -> -ms-chap-challenge=0xdf908aaeb26f4444
[multiotpmschap]    expand: -ms-chap-response=%{MS-CHAP-Response} -> -ms-chap-response=0x0001000000000000000000000000000000000000000000000000fbb0b53f018a0e1fec964169db2b88be0ca521a8d8a234b6
[multiotpmschap]    expand: -ms-chap2-response=%{MS-CHAP2-Response} -> -ms-chap2-response=
Exec-Program output: NT_KEY: F1111A9A8F0E249D347BE73B2D538685
Exec-Program-Wait: plaintext: NT_KEY: F1111A9A8F0E249D347BE73B2D538685
Exec-Program: returned: 99
[multiotpmschap] External script failed.
[multiotpmschap] MS-CHAP-Response is incorrect.
++[multiotpmschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]         expand: %{User-Name} -> myusername
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.6 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 105 to 127.0.0.1 port 49595
    MS-CHAP-Error = "\000E=69
Waking up in 4.9 seconds.

另外,将执行 MS-CHAPv2 身份验证的应用程序连接到 freeradius 会产生与使用 mschap 和 radclient 相同的错误。

是否有人知道此版本的 FreeRADIUS 是否可以与连接到活动目录的 MultiOTP 一起使用?

答案1

是的,你是对的,MSCHAP 和 MSCHAPv2 正在对密码进行哈希处理,因此如果密码是 [PIN/内部密码 + 令牌],multiOTP 仍然可以重新计算它,但是对于 AD 密码,没有办法做到这一点,因为我们没有将 AD 密码存储在 multiOTP 中。

答案2

此设置使用 MultiOTP 加密 AD + 令牌 (MSCHAP),不依赖于您使用的 FreeRADIUS 版本。如果您要深入了解其工作原理,您将意识到这是不可能的。目前,我认为 MultiOTP 无法使用其数据库 + 令牌中的 AD 重新生成哈希以匹配来自客户端的加密密码(使用 MSCHAP)。想象一下在 128 位上解密哈希。

它适用于 PAP,因为用于身份验证的字符串是纯文本。在这种情况下,MultiOTP 很容易重建字符串,而加密形式则不然。

我希望这也能回答您为什么会收到错误。

答案3

代替:

Username: username
Password: [password] + [OTP]

您现在可以使用:

Username: username:OTP
Password: password

例如用户名 = john,密码 = myBigPassword,OTP = 123456

Username: john:123456
Password: myBigPassword

由于 OTP 一直在变化,因此它是完全安全的,并且 MS-CHAPv2 可以正常工作 :-)

相关内容