'[Ipsec-tools-devel] Support for RADIUS challenges'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipsec-tools-devel
Subject:    [Ipsec-tools-devel] Support for RADIUS challenges
From:       Steve Polyack <korvus () comcast ! net>
Date:       2011-02-28 18:53:41
Message-ID: 4D6BEF35.6030109 () comcast ! net
[Download RAW message or body]

Has anyone else attempted to use ipsec-tools/racoon with a RADIUS server
which issues challenges?  I'm trying to setup a solution for mobile VPN
access, but our RADIUS backend requires a second factor for
authentication in the form of a RADIUS challenge and response.

Here's what I'm seeing in the racoon logs:

2011-02-28 13:39:15: ERROR: rad_send_request returned 11
2011-02-28 13:39:15: INFO: Released port 0
2011-02-28 13:39:15: INFO: login failed for user "spolyack"

After looking through libradius code, one can see that the return code
of 11 maps to RAD_ACCESS_CHALLENGE:
#define RAD_ACCESS_CHALLENGE            11

It looks like racoon simply does not know what to do when it sees this
return code, since other libradius-based applications are capable of
interpreting these requests and responding.  I looked through the
ipsec-tools ticketing system and was unable to find anything related to
this.  Are there any patches available to add support for challenges? If
not, has anyone else considered working on this?  I'd be comfortable
with implementing the RADIUS side of things, but I'm not sure how to go
about passing the challenge and response between racoon and the
connecting VPN client.

I may be in a position to post a bounty for the addition of support for
RADIUS challenges if anyone's interested.

Thanks!



------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in 
Real-Time with Splunk. Collect, index and harness all the fast moving IT data 
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business 
insights. http://p.sf.net/sfu/splunk-dev2dev 
_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic