Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2
fabiano at powerpc.ch
Tue Feb 17 22:08:45 CET 2009
Alan DeKok a écrit :
> Fabiano wrote:
>>> A database? You should know what the *correct* password is, otherwise
>>> you don't be able to authenticate the user.
>> You mean, for example making the OTP script (doing exactly the contrary
>> of what it actually does) write the password every 10 seconds to a
>> database for every user and then let freeradius check the db ?
>> Is this the only way ?
> It would help if you described what you are trying to do, and why.
I am using a firewall (m0n0.ch, based on FreeBSD) which has a PPTP
server accepting only MSCHAPv2 auth.
This PPTP server uses an internal database with flatfiles for
authenticating VPN users but also offers auth through an external radius
I thought that I could use the motp.sf.net project to make mobile
clients (using cell phones qnd the j2me applet) authenticate with this
The MOTP project offers a shellscript named otverify.sh which waits some
arguments to verify the client (Username, OTP, Init-Secret, PIN, Time
Username and OTP are given by the VPN client
Init-Secret, PIN and Time Offset are specified in the radius users file.
Normally, this is done using xtradius, executing the script as external
application and giving the arguments to it.
The script answers ACCEPT or FAIL for final auth.
I'm stuck here, having MSCHAPv2 clients and an auth script not useable
with MSCHAPv2 auth.
I have also tried this with the supplied PAM motp module, but as you
said this is not possible.
I had successful auths using radtest, but that's all... ;)
I think that what I will try is rewrite the script in perl to generate
the passwords every x seconds to a database and then make freeradius
auth against the db entries.
Do you think this is the best way ?
> Alan DeKok.
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users