scs-cbu-ced-iam / freeradius-mobileid Goto Github PK
View Code? Open in Web Editor NEWMobile ID enabler for FreeRADIUS
Mobile ID enabler for FreeRADIUS
https://freeradius.org/releases
The 2.x.x release series is now End Of Life. Only security fixes will be applied to 2.x.x. Users of 2.x.x are encouraged to migrate to the latest 3.0.x series release.
at launch, if not server config present the mobileid sample will raise
/etc/raddb/sites-enabled/mobileid[46]: Invalid location for 'if'
Provide a script that will update an LDAP/AD user with the actual SerialNumber of the DN (X-MSS-MobileID-SN)
In addition, adjust the Mobile ID module to allow different options in regards to the SerialNumber check of the Mobile ID user
--decode is not present on all distros; use -d instead
echo "User-Name=+41798440457,User-Password=''" | radclient -t 120 localhost auth testing123
Received response ID 150, code 3, length = 20
exec-mobileid::INFO: MSS_Signature +41798440457 'Demo: Authentication with Mobile ID?' en
exec-mobileid::INFO: FAILED on +41798440457 with error 406 (PB_SIGNATURE_PROCESS: Signature request already in progress.)
exec-mobileid::INFO: RC=2
(1) mobileid : Program returned code (2): Reply-Message:="Error on the user device while confirming the request. Probably an other signature request is already in progress. Please try again."
(1) [mobileid] = fail
(1) } # post-auth = fail
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/raddb/sites-enabled/mobileid
(1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject : expand: "%{User-Name}" -> '+41798440457'
(1) attr_filter.access_reject : Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) } # Post-Auth-Type REJECT = updated
(1) Finished request 1.
Waking up in 0.9 seconds.
(1) Sending delayed reject
Apply updates from SCS-CBU-CED-IAM/mobileid#80 also in exec-mobileid.sh
Ensure that X-MSS-Language will have a default value that can be controlled.
When using realms the Stripped-User-Name should be set as User-Name for further processing.
Move Mobile ID post-auth to authenticate section to support proxy request with other servers and not having additional Mobile ID authentication done
When running freeradius as a service the
TMP=$(mktemp /tmp/_tmp.XXXXXX) # Request goes here
is not working fine and returning an empty string.
At least on Red Hat Linux
proxy.conf and others
Line 245:
freeradius-mobileid/exec-mobileid.sh
Line 245 in 3d688d4
UNIQUEIDNEW=$(echo "$RES_CERT_SUBJ" | sed -n -e 's/.*serialNumber=\(.*\),CN=.*/\1/p')
The regular expression is expecting the 'CN' attribute after the 'serialNumber' attribute. The order of the attributes may change as the order of attributes is not specified.
The regular expression should be improved to be independent of the attribute order.
Add an option to filter out authorised mobile country codes based on Telco Info
In case the full certificate chain is returned in the signature response, the local bag file needs to contain the root certificate only.
Ensure that the bash scripts will pick the correct signer's certificate and not just the 1st one
freeRadius has taken our patch to avoid hardcoding of the timeout value for an exec process (was 10 seconds). This can now be configured in the corresponding module with the timeout value. The problem is that the maximum is limited to 30 seconds. Better but still not enough to for our MID requests as they are depending on the answer time of the enduser.
Place a change request to freeradius to allow up to 120 seconds
Update the scripts to use https://mobileid.swisscom.com instead of obsolete https://soap.mobileid.swisscom.com
Errors raised during the call of the exec-mobileid.sh
Executing section post-auth from file /etc/freeradius/sites-enabled/mobileid
...
tr: write error: Broken pipe
tr: write error
Return the Telco Information details in a proper attribute.
...
<mss:Status>
<mss:StatusCode Value="500"/>
<mss:StatusMessage>SIGNATURE</mss:StatusMessage>
<mss:StatusDetail>
<fi:ServiceResponses>
<fi:ServiceResponse>
<fi:Description>
<mss:mssURI>http://mid.swisscom.ch/as#subscriberInfo</mss:mssURI>
</fi:Description>
<ns1:SubscriberInfo xmlns:ns1="http://mid.swisscom.ch/TS102204/as/v1.0">
<ns1:Detail id="1901" value="22801"/>
</ns1:SubscriberInfo>
</fi:ServiceResponse>
</fi:ServiceResponses>
</mss:StatusDetail>
</mss:Status>
...
Make sure the "yellow" error messages address the user directly. (Some of them might be copied from mobileid-helper and address the support operator.)
See also SCS-CBU-CED-IAM/simplesaml-mobileid#50
Verify the returned rlm_exec error codes and messages. Maybe wrong module definitions.
Example
$echo "User-Name=fkaiser,User-Password='fkaiser'" | radclient -t 120 localhost auth
Received response ID 82, code 3, length = 20
Missing the Reply-Message = "The request has been canceled by the user."
Provide a $TRANS_ID that can be used in the DTBS:
# Message sent to Mobile ID (use $AP_PREFIX to set the customer prefix)
DTBS="$AP_PREFIX: Authentication with Mobile ID?"
to
DTBS="$AP_PREFIX: Authentication with Mobile ID? ($TRANS_ID)"
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.