Comments (4)
tim-at-gith
commented on June 12, 2024
Here I am once again
Is this possible for the problem:
- at the radius-flow > identification-stage leave password-stage emtpy (any password is accepted)
- after identification-stage use a new Expression Policies
- inside new Expression Policies call ak_call_policy the totp-authenticator-stage with variable code contains the password value
- and after pass it goes forward with authentication-login on the radius-flow
That's my idea.
Does that work?
If so, unfortunately I don't know what the expression policies should look like. My problem is how to transmit the MFA code from the password to totp-authenticator-stage via ak_call_policy (if code based radius is off)?
Best Regards
Tim
from authentik.
tim-at-gith
commented on June 12, 2024
At the source I found that password and Token-Code (StageAuthenticatorValidate) is set to the password-value from the radius request.
But it doesn't work at the flow.
authentik-main/internal/outpost/flow/solvers_mfa.go
...
const CodePasswordSeparator = ";"
...
func (fe *FlowExecutor) SetSecrets(password string, mfaCodeBased bool) {
if fe.Answers[StageAuthenticatorValidate] != "" || fe.Answers[StagePassword] != "" {
return
}
fe.Answers[StagePassword] = password
if !mfaCodeBased {
// If code-based MFA is disabled StageAuthenticatorValidate answer is set to password.
// This allows flows with a mfa stage only.
fe.Answers[StageAuthenticatorValidate] = password
return
}
from authentik.
tim-at-gith
commented on June 12, 2024
Hey!
I have done a few tests to narrow down the problem.
I used always the same flow ("radius-authentication-flow") and the user ("tktest").
At the flow password check is "not used" (passwordless) if TOTP Token exists (see https://docs.goauthentik.io/docs/flow/stages/password/)
(Case 1) When I use the inspection/test (web-based), the flow works. The user is logged in.
(Case 2) Code-based MFA is enabled at radius, the flow works. The user is logged in. (see Test 2.1-2.3)
(Case 3) Code-based MFA is disabled at radius, nothing else was changed. Radius Login with TOTP doesnot work! (see Test 3.2) (Test 3.1 tests that codebased MFA is switched off)
I added the flow as attachment radius-authentication-flow.yaml.txt
.
One Remark: User tktest has 2 TOTP-Tokens. I think this not the problem.
Best regards
Tim
Radius code-based MFA
Test 2.1
(Test with a wrong password)
./radtest -t pap -x -4 tktest 'NotPwd;874274' 172.x.x.x 1812 RadiusSecret
Sent Access-Request Id 186 from 0.0.0.0:40094 to 172.x.x.x:1812 length 76
User-Name = "tktest"
User-Password = "NotPwd;874274"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "NotPwd;874274"
Received Access-Accept Id 186 from 172.x.x.x:1812 to 10.x.x.x:40094 length 20
Radius code-based MFA
Test 2.2
(Test empty password)
./radtest -t pap -x -4 tktest ';249247' 172.x.x.x 1812 RadiusSecret
Sent Access-Request Id 160 from 0.0.0.0:50428 to 172.x.x.x:1812 length 76
User-Name = "tktest"
User-Password = ";249247"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = ";249247"
Received Access-Accept Id 160 from 172.x.x.x:1812 to 10.x.x.x:50428 length 20
Radius code-based MFA
Test 2.3
(Test password and Tokencode are the same)
./radtest -t pap -x -4 tktest '315763;315763' 172.x.x.x 1812 RadiusSecret
Sent Access-Request Id 128 from 0.0.0.0:54001 to 172.x.x.x:1812 length 76
User-Name = "tktest"
User-Password = "315763;315763"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "315763;315763"
Received Access-Accept Id 128 from 172.x.x.x:1812 to 10.x.x.x:54001 length 20
Radius without MFA
Test 3.1
(Check MFA is disbled)
./radtest -t pap -x -4 tktest ';009146' 172.x.x.x 1812 RadiusSecret
Sent Access-Request Id 253 from 0.0.0.0:39959 to 172.x.x.x:1812 length 76
User-Name = "tktest"
User-Password = ";009146"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = ";009146"
Received Access-Reject Id 253 from 172.x.x.x:1812 to 10.x.x.x:39959 length 20
(0) -: Expected Access-Accept got Access-Reject
Radius without MFA
Test 3.2
./radtest -t pap -x -4 tktest '700706' 172.x.x.x 1812 RadiusSecret
Sent Access-Request Id 120 from 0.0.0.0:59373 to 172.x.x.x:1812 length 76
User-Name = "tktest"
User-Password = "700706"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "700706"
Received Access-Reject Id 120 from 172.x.x.x:1812 to 10.x.x.x:59373 length 20
(0) -: Expected Access-Accept got Access-Reject
from authentik.
tim-at-gith
commented on June 12, 2024
I think problem is solved at dev-version by #8013?
from authentik.
Related Issues (20)
- Additional HTTP-Auth? reqired from nextcloud after using SAML login
- How to show a custom permission denied message ?
- Comments, Notes, or Description fields. HOT 3
- Can you force local MFA when logging in via Social Login? HOT 2
- Add ability to return a 401 response on wrong basic auth for forward auth proxy provider
- Provide custom user mapping logic via expression HOT 1
- Can authentik work with postgres that have not default port? HOT 7
- Radius Challenge/Response for MFA (RFC2865)
- Issues with Grafana HOT 1
- Unraid installation failed March 22, 2024
- How to map social login users (discord) to directory groups ? HOT 2
- Federate Authentik to LDAP from Authentik
- ak_call_policy calls always error
- Federation OIDC Groups
- Support for Yubico OTP
- TF updates don't refresh current user HOT 2
- Missing User Dashboard Icons HOT 5
- ArgoCD ?has_sso_error HOT 5
- exec: "dumb-init": executable file not found in $PATH: unknown
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authentik.