Bug #2928
closed
Authentication attempts against multiple radius servers should stop when the first reject is received.
0%
Description
The radius.inc code in pfsense treats anything that is not an radius accept as the same kind of failure. It does not differentiate between a radius reject and any other kind of failure, timeouts, configuration errors, etc. When multiple radius servers are configured it will try to authenticate against all the servers configured even if previous servers returns a reject. It's logic is 'if it's not accept, try the next server'.
I propose that the authentication hunt should stop on a reject and only proceed to the next server only when it fails to receive a determined answer back from radius. The current behavior is problematic when your radius server is doing something like two factor authentication where a user may get continued authentication requests after they reject the first request.
Also to remedy my pain the server.php that is generated for the openvpn authentication plugin script will need to know how to use this new functionality.
Updated by Tuyan Ozipek almost 12 years ago
For two factor authentication , you need to use Access-Challenge response from your radius server, and use it to process the second/third.. etc. stage.
From RFC :
Example: The NAS sends an Access-Request packet to the RADIUS Server
with NAS-Identifier, NAS-Port, User-Name, User-Password (which may
just be a fixed string like "challenge" or ignored). The server
sends back an Access-Challenge packet with State and a Reply-Message
along the lines of "Challenge 12345678, enter your response at the
prompt" which the NAS displays. The NAS prompts for the response and
sends a NEW Access-Request to the server (with a new ID) with NAS-
Identifier, NAS-Port, User-Name, User-Password (the response just
entered by the user, encrypted), and the same State Attribute that
came with the Access-Challenge. The server then sends back either an
Access-Accept or Access-Reject based on whether the response matches
the required value, or it can even send another Access-Challenge.
Moreover, stopping on the first authentication fail, might be against the same rfc, which says;
If the request to a primary Authentication server fails, a secondary server must be queried.
Just my 2 cents..
Updated by Chris Buechler over 11 years ago
- Status changed from New to Closed
current behavior is correct