Comments (5)
tim-at-gith
commented on September 24, 2024
Here I am once again
Is this possible for the problem:
- at the radius-flow > identification-stage leave password-stage emtpy (any password is accepted)
- after identification-stage use a new Expression Policies
- inside new Expression Policies call ak_call_policy the totp-authenticator-stage with variable code contains the password value
- and after pass it goes forward with authentication-login on the radius-flow
That's my idea.
Does that work?
If so, unfortunately I don't know what the expression policies should look like. My problem is how to transmit the MFA code from the password to totp-authenticator-stage via ak_call_policy (if code based radius is off)?
Best Regards
Tim
from authentik.
tim-at-gith
commented on September 24, 2024
At the source I found that password and Token-Code (StageAuthenticatorValidate) is set to the password-value from the radius request.
But it doesn't work at the flow.
authentik-main/internal/outpost/flow/solvers_mfa.go
...
const CodePasswordSeparator = ";"
...
func (fe *FlowExecutor) SetSecrets(password string, mfaCodeBased bool) {
if fe.Answers[StageAuthenticatorValidate] != "" || fe.Answers[StagePassword] != "" {
return
}
fe.Answers[StagePassword] = password
if !mfaCodeBased {
// If code-based MFA is disabled StageAuthenticatorValidate answer is set to password.
// This allows flows with a mfa stage only.
fe.Answers[StageAuthenticatorValidate] = password
return
}
from authentik.
tim-at-gith
commented on September 24, 2024
Hey!
I have done a few tests to narrow down the problem.
I used always the same flow ("radius-authentication-flow") and the user ("tktest").
At the flow password check is "not used" (passwordless) if TOTP Token exists (see https://docs.goauthentik.io/docs/flow/stages/password/)
(Case 1) When I use the inspection/test (web-based), the flow works. The user is logged in.
(Case 2) Code-based MFA is enabled at radius, the flow works. The user is logged in. (see Test 2.1-2.3)
(Case 3) Code-based MFA is disabled at radius, nothing else was changed. Radius Login with TOTP doesnot work! (see Test 3.2) (Test 3.1 tests that codebased MFA is switched off)
I added the flow as attachment radius-authentication-flow.yaml.txt
.
One Remark: User tktest has 2 TOTP-Tokens. I think this not the problem.
Best regards
Tim
Radius code-based MFA
Test 2.1
(Test with a wrong password)
./radtest -t pap -x -4 tktest 'NotPwd;874274' 172.x.x.x 1812 RadiusSecret
Sent Access-Request Id 186 from 0.0.0.0:40094 to 172.x.x.x:1812 length 76
User-Name = "tktest"
User-Password = "NotPwd;874274"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "NotPwd;874274"
Received Access-Accept Id 186 from 172.x.x.x:1812 to 10.x.x.x:40094 length 20
Radius code-based MFA
Test 2.2
(Test empty password)
./radtest -t pap -x -4 tktest ';249247' 172.x.x.x 1812 RadiusSecret
Sent Access-Request Id 160 from 0.0.0.0:50428 to 172.x.x.x:1812 length 76
User-Name = "tktest"
User-Password = ";249247"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = ";249247"
Received Access-Accept Id 160 from 172.x.x.x:1812 to 10.x.x.x:50428 length 20
Radius code-based MFA
Test 2.3
(Test password and Tokencode are the same)
./radtest -t pap -x -4 tktest '315763;315763' 172.x.x.x 1812 RadiusSecret
Sent Access-Request Id 128 from 0.0.0.0:54001 to 172.x.x.x:1812 length 76
User-Name = "tktest"
User-Password = "315763;315763"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "315763;315763"
Received Access-Accept Id 128 from 172.x.x.x:1812 to 10.x.x.x:54001 length 20
Radius without MFA
Test 3.1
(Check MFA is disbled)
./radtest -t pap -x -4 tktest ';009146' 172.x.x.x 1812 RadiusSecret
Sent Access-Request Id 253 from 0.0.0.0:39959 to 172.x.x.x:1812 length 76
User-Name = "tktest"
User-Password = ";009146"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = ";009146"
Received Access-Reject Id 253 from 172.x.x.x:1812 to 10.x.x.x:39959 length 20
(0) -: Expected Access-Accept got Access-Reject
Radius without MFA
Test 3.2
./radtest -t pap -x -4 tktest '700706' 172.x.x.x 1812 RadiusSecret
Sent Access-Request Id 120 from 0.0.0.0:59373 to 172.x.x.x:1812 length 76
User-Name = "tktest"
User-Password = "700706"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "700706"
Received Access-Reject Id 120 from 172.x.x.x:1812 to 10.x.x.x:59373 length 20
(0) -: Expected Access-Accept got Access-Reject
from authentik.
tim-at-gith
commented on September 24, 2024
I think problem is solved at dev-version by #8013?
from authentik.
authentik-automation
commented on September 24, 2024
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
from authentik.
Related Issues (20)
- Bug in "Passsword Change Prompt" HOT 1
- LDAP Worker Fails to Start After Switching to Dev Server: "no ldap provider defined" HOT 4
- Reworked prompt stage seems not functional HOT 1
- **Describe your question/** HOT 1
- Finish button unresponsive when creating providers after upgrading to version 2024.8.0 HOT 2
- Permission "Search full LDAP directory" seems always granted HOT 1
- Migration fails with AttributeError: 'NoneType' object has no attribute 'users' HOT 1
- Test Property Mapping for SCIM Source failis with SyntaxError
- API browser not available HOT 3
- Applications URL of forwardauth provider now with X-authentik-auth-callback HOT 3
- Connecting google authentication provider returns Bad Request
- No names at Fields HOT 2
- Email sending is not using docker secrets HOT 1
- Weird Fields displaying in Stage-specific settings and Policies selected HOT 4
- SCIM Source provisioning - add user to group failes: Method "PATCH" not allowed
- Possible DoS attack via the notification "Clear all" button
- The authentik server fails to start due to an error while migrating HOT 1
- Fresh Install of Authentik - Unable to login or complete Initial-setup using FQDN
- 2024.8.0: Unable to create new notification rule HOT 2
- Unable to create new Proxy Provider HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authentik.