Powered by Jitbit .Net Forum free trial version. dismiss

HomeInteroperability

Interoperability with RADIUS clients & servers

Tekradius LT and multiOTP Messages in this topic - RSS

Pdudas
Pdudas
Posts: 11


8.12.2016
Pdudas
Pdudas
Posts: 11
Dear All!

I have a strange problem. Trying to authenticate 2 different kind of VPN service for the same user via Tekravius LT on multiOTP.
MultiOTP connected to AD, users are imported, TOTP authentication works fine (via command line).

We use SSL VPN and L2TP as well. Even for the same user (SSL on laptop, L2TP on phone).
Based on AD group membership - this was easy with NPS. SSL uses PAP, L2TP uses MsChapv2 authentication type.

Due to this on Tekradius I have to run different Check External Executable for the different kind of authentication method of the VPN services.

So for SSL VPN I use C:\multiotp\multiotp.exe -log "%ietf|1%" %ietf|2%
(yes, the first parameter is in "" as we have spaces in the user names and multiOTP not finds the account name having space inside)

And for L2TP I plan to use (not tested): C:\multiotp\multiotp.exe -log "%ietf|1%" -ms-chap-challenge=%msoft|11% -ms-chap2-response=%msoft|25%

My only question: is it possible to script somehow this in Tekradius?

SSL uses PAP - so I would like to run the Check External Executable as 'C:\multiotp\multiotp.exe -log "%ietf|1%" %ietf|2%'
L2TP uses MsChapv2 - so I would like to run the Check External Executable as 'C:\multiotp\multiotp.exe -log "%ietf|1%" -ms-chap-challenge=%msoft|11% -ms-chap2-response=%msoft|25%'

for the SAME USER!!!

So based on the radius attributes in the request I would like to use 2 different 'Check External Executable' if possible (as I presume I cannot create twice the same user belongs to different groups).

The other option would be to manipulate the user name somehow - like user is 'John Smith' at the AD and we use 'SSLJohn Smith' or 'LTPJohn Smith' for VPN and we cut the first 3 characters before it is transmitted to the multiOTP. Is this possible(manipulating the user names)?

Thank you!

Pdudas
0 link
Admin
Admin
Administrator
Posts: 4992


8.12.2016
Admin
Admin
Administrator
Posts: 4992
Hi,

You can consider building a VBScript which can either invoke

C:\multiotp\multiotp.exe -log "%ietf|1%" %ietf|2%'

or

C:\multiotp\multiotp.exe -log "%ietf|1%" -ms-chap-challenge=%msoft|11% -ms-chap2-response=%msoft|25%'

based in incoming attributes. You should supply attributes as a paramters to this VBScript and
VBScript can pass parameters to multiotp.

Best regards,

Yasin KAPLAN
0 link
Pdudas
Pdudas
Posts: 11


9.12.2016
Pdudas
Pdudas
Posts: 11
Hi!

Is it possible to use wildcards in the user name in Tekradius LT?
My plan to add the TOTP password to the name with a :

In this way the SSLVPN uses the existing (and working) 'username/password+totp' format, L2TP can use 'username:totp/password' format.
The key is the wildcard in the user name at Tekradius. Normal user name means SSL - normal+6 digits means L2TP.

Thank you!

Admin wrote:
Hi,

You can consider building a VBScript which can either invoke

C:\multiotp\multiotp.exe -log "%ietf|1%" %ietf|2%'

or

C:\multiotp\multiotp.exe -log "%ietf|1%" -ms-chap-challenge=%msoft|11% -ms-chap2-response=%msoft|25%'

based in incoming attributes. You should supply attributes as a paramters to this VBScript and
VBScript can pass parameters to multiotp.

Best regards,

Yasin KAPLAN
0 link
Admin
Admin
Administrator
Posts: 4992


9.12.2016
Admin
Admin
Administrator
Posts: 4992
Commercial editions of TekRADIUS supports Regular Expression based matching in User names. I can provide you a trial key.
0 link
Pdudas
Pdudas
Posts: 11


11.12.2016
Pdudas
Pdudas
Posts: 11
Thank you!

Maybe it is easier to go for their commercial version with a built-in radius server.
0 link
multiOTP
multiOTP
Posts: 14


17.12.2016
multiOTP
multiOTP
Posts: 14
Hello Pdudas,

Using TekRADIUS and multiOTP, you should do both at the same time without any problem:

C:\multitop\multiotp.exe %ietf|1% %ietf|2% -chap-challenge=%ietf|60% -chap-password=%ietf|3% -ms-chap-challenge=%msoft|11% -ms-chap-response=%msoft|1% -ms-chap2-response=%msoft|25%

Thanks to keep us in touch !

Regards
edited by multiOTP on 18.12.2016
0 link






Powered by Jitbit Forum 8.3.8.0 © 2006-2013 Jitbit Software