LinOTP. FreeRadius Server Integration.

Hi Everyone,

We will install and pair freeradius with linotp here.
You can split free radius to another server if you want.

Remove Default Config File and create new one with our client ip and secret

Now change URL to your IP and change REALM name to realm that you create in first part:

To test radius from client (CentOS 7) in my case 172.17.14.29, you should run:

If access will be granted then You are succesfully installed and pair freeradius with LinOTP:

MTokarev-username 607918-MyPasscode 172.17.14.103-Radius server IP 0-Port (Just Leave without changes) 11122928-Your client secret

On the next part We’ll configure client host to use PAM Radius and will try to authenticate with OTP.

10 thoughts on “LinOTP. FreeRadius Server Integration.”

  1. Hi,
    I struggle with this task: to setup linOTP and Freeradius to authenticate windows users accessing their server. LinOTP is up and connected to Windows AD , and the AD users have had soft tokens enrolled, and linOTP authentication tested…so far so good. Freeradius has been configured and radtest is also testing OK.

    NPS in the domain is passing authentication requests to Freeradius and all of them are denied by LinOTP. When I run freeradius -X and try to attach vpn to the windows server it looks like this:

    All input welcome…or perhaps a tutorial dealing with the rest of the steps needed 🙂

    rad_recv: Access-Request packet from host 172.17.10.30 port 53540, id=5, length=375
    Acct-Session-Id = “71”
    NAS-Identifier = “WIN2012LAB”
    NAS-IP-Address = 172.17.10.30
    Service-Type = Framed-User
    Framed-Protocol = PPP
    NAS-Port = 128
    NAS-Port-Type = Virtual
    Tunnel-Type:0 = PPTP
    Tunnel-Medium-Type:0 = IPv4
    Called-Station-Id = “172.17.10.30”
    Tunnel-Server-Endpoint:0 = “172.17.10.30”
    Calling-Station-Id = “192.168.8.2”
    Tunnel-Client-Endpoint:0 = “192.168.8.2”
    User-Name = “test”
    MS-Network-Access-Server-Type = Remote-Access-Server
    MS-RAS-Vendor = 311
    MS-RAS-Version = “MSRASV5.20”
    MS-RAS-Correlation = 0x7b36463138313335422d313944452d343742392d383532462d4336364534443936344431457d
    MS-RAS-Client-Version = “MSRASV5.20”
    MS-RAS-Client-Name = “MSRAS-0-WS3”
    MS-CHAP-Challenge = 0x78a420c86517ee3d8c6a8afdafd55639
    MS-CHAP2-Response = 0x0100e78fed6a05a950ed1d8eb289ddf865360000000000000000b726ca411165dd81eaf0a15ab4b232944314f420473e4887
    Proxy-State = 0xac110a1e0000005c
    Message-Authenticator = 0xcbe84ac5f882f87acdeb73e466365cec
    # Executing section authorize from file /etc/freeradius/sites-enabled/linotp
    +group authorize {
    ++[preprocess] = ok
    [IPASS] No ‘/’ in User-Name = “test”, looking up realm NULL
    [IPASS] No such realm “NULL”
    ++[IPASS] = noop
    [suffix] No ‘@’ in User-Name = “test”, looking up realm NULL
    [suffix] No such realm “NULL”
    ++[suffix] = noop
    [ntdomain] No ‘\’ in User-Name = “test”, looking up realm NULL
    [ntdomain] No such realm “NULL”
    ++[ntdomain] = noop
    [files] users: Matched entry DEFAULT at line 1
    ++[files] = ok
    ++[expiration] = noop
    ++[logintime] = noop
    [pap] WARNING! No “known good” password found for the user. Authentication may fail because of this.
    ++[pap] = noop
    +} # group authorize = ok
    Found Auth-Type = perl
    # Executing group from file /etc/freeradius/sites-enabled/linotp
    +group authenticate {
    rlm_perl: Config File /etc/linotp2/rlm_perl.ini found!
    rlm_perl: Default URL https://172.17.10.20/validate/simplecheck
    rlm_perl: RAD_REQUEST: MS-CHAP-Challenge = 0x78a420c86517ee3d8c6a8afdafd55639
    rlm_perl: RAD_REQUEST: NAS-Identifier = WIN2012LAB
    rlm_perl: RAD_REQUEST: MS-Network-Access-Server-Type = Remote-Access-Server
    rlm_perl: RAD_REQUEST: Tunnel-Medium-Type = IPv4
    rlm_perl: RAD_REQUEST: NAS-IP-Address = 172.17.10.30
    rlm_perl: RAD_REQUEST: NAS-Port-Type = Virtual
    rlm_perl: RAD_REQUEST: MS-RAS-Vendor = 311
    rlm_perl: RAD_REQUEST: User-Name = test
    rlm_perl: RAD_REQUEST: Service-Type = Framed-User
    rlm_perl: RAD_REQUEST: Framed-Protocol = PPP
    rlm_perl: RAD_REQUEST: Tunnel-Type = PPTP
    rlm_perl: RAD_REQUEST: Message-Authenticator = 0xcbe84ac5f882f87acdeb73e466365cec
    rlm_perl: RAD_REQUEST: MS-CHAP2-Response = 0x0100e78fed6a05a950ed1d8eb289ddf865360000000000000000b726ca411165dd81eaf0a15ab4b232944314f420473e4887
    rlm_perl: RAD_REQUEST: MS-RAS-Client-Name = MSRAS-0-WS3
    rlm_perl: RAD_REQUEST: MS-RAS-Client-Version = MSRASV5.20
    rlm_perl: RAD_REQUEST: NAS-Port = 128
    rlm_perl: RAD_REQUEST: Called-Station-Id = 172.17.10.30
    rlm_perl: RAD_REQUEST: MS-RAS-Version = MSRASV5.20
    rlm_perl: RAD_REQUEST: Tunnel-Server-Endpoint = 172.17.10.30
    rlm_perl: RAD_REQUEST: Tunnel-Client-Endpoint = 192.168.8.2
    rlm_perl: RAD_REQUEST: Acct-Session-Id = 71
    rlm_perl: RAD_REQUEST: Proxy-State = 0xac110a1e0000005c
    rlm_perl: RAD_REQUEST: MS-RAS-Correlation = 0x7b36463138313335422d313944452d343742392d383532462d4336364534443936344431457d
    rlm_perl: RAD_REQUEST: Calling-Station-Id = 192.168.8.2
    rlm_perl: Auth-Type: perl
    rlm_perl: Url: https://172.17.10.20/validate/simplecheck
    rlm_perl: User: test
    rlm_perl: urlparam realm = labs.lan
    rlm_perl: urlparam user = test
    rlm_perl: urlparam client = 172.17.10.30
    rlm_perl: Content 🙁
    rlm_perl: return RLM_MODULE_REJECT
    rlm_perl: Added pair MS-CHAP-Challenge = 0x78a420c86517ee3d8c6a8afdafd55639
    rlm_perl: Added pair NAS-Identifier = WIN2012LAB
    rlm_perl: Added pair MS-Network-Access-Server-Type = Remote-Access-Server
    rlm_perl: Added pair Tunnel-Medium-Type = IPv4
    rlm_perl: Added pair NAS-IP-Address = 172.17.10.30
    rlm_perl: Added pair NAS-Port-Type = Virtual
    rlm_perl: Added pair MS-RAS-Vendor = 311
    rlm_perl: Added pair User-Name = test
    rlm_perl: Added pair Service-Type = Framed-User
    rlm_perl: Added pair Framed-Protocol = PPP
    rlm_perl: Added pair Tunnel-Type = PPTP
    rlm_perl: Added pair Message-Authenticator = 0xcbe84ac5f882f87acdeb73e466365cec
    rlm_perl: Added pair MS-CHAP2-Response = 0x0100e78fed6a05a950ed1d8eb289ddf865360000000000000000b726ca411165dd81eaf0a15ab4b232944314f420473e4887
    rlm_perl: Added pair MS-RAS-Client-Name = MSRAS-0-WS3
    rlm_perl: Added pair MS-RAS-Client-Version = MSRASV5.20
    rlm_perl: Added pair NAS-Port = 128
    rlm_perl: Added pair Called-Station-Id = 172.17.10.30
    rlm_perl: Added pair MS-RAS-Version = MSRASV5.20
    rlm_perl: Added pair Tunnel-Server-Endpoint = 172.17.10.30
    rlm_perl: Added pair Tunnel-Client-Endpoint = 192.168.8.2
    rlm_perl: Added pair Acct-Session-Id = 71
    rlm_perl: Added pair Proxy-State = 0xac110a1e0000005c
    rlm_perl: Added pair MS-RAS-Correlation = 0x7b36463138313335422d313944452d343742392d383532462d4336364534443936344431457d
    rlm_perl: Added pair Calling-Station-Id = 192.168.8.2
    rlm_perl: Added pair Reply-Message = LinOTP server denied access!
    rlm_perl: Added pair Auth-Type = perl
    ++[perl] = reject
    +} # group authenticate = reject
    Failed to authenticate the user.
    Delaying reject of request 2 for 1 seconds
    Going to the next request
    Waking up in 0.9 seconds.
    Sending delayed reject for request 2
    Sending Access-Reject of id 5 to 172.17.10.30 port 53540
    Reply-Message = “LinOTP server denied access!”
    Proxy-State = 0xac110a1e0000005c
    Waking up in 1.8 seconds.
    Cleaning up request 1 ID 4 with timestamp +10
    Waking up in 3.1 seconds.
    Cleaning up request 2 ID 5 with timestamp +13
    Ready to process requests.

    1. I didn’t use it with ms nps, but i think you need to invistigate rearm in user format:

      [suffix] No ‘@’ in User-Name = “test”, looking up realm NULL
      [suffix] No such realm “NULL”
      ++[suffix] = noop
      [ntdomain] No ‘\’ in User-Name = “test”,

  2. Hi again,
    I found that that scenario will never work due to windows want to perform challange response athentication and LinOTP/FreeRADIUS uses cleartext user/password So this is not solvable without installing some kind of tailored credential provider on windows hosts.

    I found one open source project , pGina, but that might only work for Windows XP

    And the project seem to disappeared into the Commersial part of LinOTP, I could be wrong

    Will focus on using LinOTP/FreeRadius to authenticate an OpenVPN-tunnel and then let the users live with two different logons. Not ideal from usability point of view. But more secure than using MS built in VPNs using same user/passwd database for both tunnel and OS access

    1. I don’t think that MS VPN is not secured well, you can use SSTP or even direct access.
      But thank you for your comment:)

    2. Can I contact you by the gmail or something,I am new to be this field and I am in a hurry to get the knowledge about LinOTP,if its possible ,Please reply to me ,thanks.

  3. Hi,I am new to be LinOTP this field,can you tell me an example which occations the Linotp should be used ?I am so confused,Can you help me?

    1. If you want additional security for yous server you can use 2 factor aut. For example to login to the system user should provide their regular password with randomly generated pin code from linotp server. So if some one stole the user password they could not login because he does not know pin code.

      1. So,How I get the random pincode for each time i login the server?will the linotp send it to my phone or something?if i get the pincode,How do i use it?just validate it after my password validation?Thanks to your reply

Leave a Reply

Your email address will not be published. Required fields are marked *