From fb4d98dceee408c7ea01f1348986a3416fd497b9 Mon Sep 17 00:00:00 2001 From: "abbas.gheydi" Date: Fri, 2 Feb 2024 15:13:54 +0330 Subject: [PATCH] fix access-reject on fortigate when two_fa is enabled Fixes #5 --- cmd/client/main.go | 21 ++++++++++++++++++++- deploy/docker-compose.yml | 2 +- pkgs/rad/Start.go | 2 +- 3 files changed, 22 insertions(+), 3 deletions(-) diff --git a/cmd/client/main.go b/cmd/client/main.go index d90f3a8..6c3bbd4 100644 --- a/cmd/client/main.go +++ b/cmd/client/main.go @@ -56,12 +56,31 @@ func main() { rfc2865.UserName_SetString(packet, username) rfc2865.UserPassword_SetString(packet, password) response, err := radius.Exchange(context.Background(), packet, server) - wg.Done() if err != nil { log.Fatal(err) } log.Println("Code:", response.Code) + if response.Code == radius.CodeAccessChallenge { + state := rfc2865.State_GetString(response) + var otpCode string + fmt.Println(rfc2865.ReplyMessage_GetString(response)) + if _, err := fmt.Scanln(&otpCode); err != nil { + log.Println(err) + } + + rfc2865.UserPassword_SetString(packet, otpCode) + rfc2865.State_SetString(packet, state) + challengeResponse, err := radius.Exchange(context.Background(), packet, server) + if err != nil { + log.Fatal(err) + } + log.Print("Code:", challengeResponse.Code) + + } + + wg.Done() + }() } wg.Wait() diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml index 2d7c323..9311fa9 100644 --- a/deploy/docker-compose.yml +++ b/deploy/docker-compose.yml @@ -1,7 +1,7 @@ version: "2" services: radotp: - image: ghcr.io/abbas-gheydi/radotp:main + image: ghcr.io/abbas-gheydi/radotp:2.0.1 restart: always ports: - "80:8080" diff --git a/pkgs/rad/Start.go b/pkgs/rad/Start.go index 3da62fd..fa31604 100644 --- a/pkgs/rad/Start.go +++ b/pkgs/rad/Start.go @@ -33,7 +33,7 @@ func StartRadius() { log.Println("password is empty for user: ", rfc2865.UserName_GetString(r.Packet)) } - if mustCheckPassword() { + if mustCheckPassword() && rfc2865.State_GetString(r.Packet) == "" { User_PassHandler(w, r) } else {