MSCHAPv2 followed by a smsotp authentication

Alan DeKok aland at deployingradius.com
Thu Mar 29 18:15:03 CEST 2012


Thomas Glanzmann wrote:
> I have a propiertary radius client which I want to authenticate against
> freeradius the following way:
> 
>         - User types is username: directory\Administrator password:secret
>         - Freeradius authenticates against active directory.

  Which authentication method?  This matters a lot.

> This already works
> 
>         - From the documentation of the propiertary radius client:
> 
>           After authenticating to RADIUS, you may get another prompt if
>           the RADIUS server responded with a supported Access Challenge.
>           Full generic RADIUS challenge/response is not supported, but a
>           limited access challenge for a string token code is supported.

  What does that mean?

>         - So now I want freeradius to send 'Access Challenge' and send a
>           sms to the user (for that purpose I wrote a perl daemon which
>           listens on a unix socket in order to talk to smsotp freeradius
>           module)[1]. However nothing comes in.

  What does that mean?  "nothing comes in" ???

> authenticate {
>         mschap
>         Auth-Type smsotp {
>                 mschap
>                 smsotp
>         }

  I really doubt that will work.

>         - Is it possible to do a mschapv2 authentication followed by
>           Access challenge in order to send out a sms with a one time
>           password by configuring freeradius or do I need to code?

  No.  It's impossible.  MS-CHAP is an authentication method with
pre-defined meaning, user interaction, and data flow.  Adding something
to it is impossible.

> Where
>           do I find pointers? I read the source code of the smsotp and
>           the rlm_example module, I get the basic idea that first the
>           otp is generated and than it is checked, however I don't get
>           how to configure freeradius to choose the codepath. I also
>           don't get if it is possible to stack authentication methods in
>           freeradius.

  Sometimes, yes.  It depends on the authentication method.

  Alan DeKok.


More information about the Freeradius-Users mailing list