freeradius OTP with OATH

Thomas Glanzmann thomas at
Sun Sep 9 06:27:58 CEST 2012

Hello Arran,

> What is the server missing as of 2.2.0 that requires the use of rlm_perl?

I'm not aware of the FreeRadius internals but you can simply look at the
FreeRadius Module rlm_smsotp. This is what happens.

        - User authenticates with PAP
        - The server answer will be of access challenge type and
          includes two additional fields:

                - State: Random number (FreeRadius has to keep it an
                  associate that with the generated otp)

                - Prompt

          At the same time a otp random number is also saved and
          associated with the state and the user and sent to the user
          for example using a SMS but it could of course use any other
          otp method for example with preshared key.

        - The client answeres and provide the state and otp in the
          'passowrd' field. The server than has to verify:

                - Is the state corresponding to user name and otp?

                - Is the request still valid (timeout)?

That's basically it.

> On the surface it seems all you're missing is random string generation?

If it can't do that, than yes for the state and the otp value.

> With 3.0 you can define policies which have 'methods' that map to the
> different sections of the server, so you could write the whole thing
> as a virtual module.

If you walk me through it, I would like to try that.


More information about the Freeradius-Users mailing list