Ideas

Franks Andy (RLZ) IT Systems Engineer Andy.Franks at sath.nhs.uk
Fri Sep 14 22:39:44 CEST 2012


Hi All,
  I've been following Thomas Glanzmann's work on sms/email otp with
freeradius and can see it could REALLY save our organisation a lot of
money (we're using securid tokens exclusively ATM). I'm trying to work
out something to suit us and at the same time be helpful to others into
making something useful, not that I'm a coder particularly.
Can I just ask if anyone has any ideas about implementing a beginning
process like this;

Authorization :
-	Check user is in an ldap group "allowed" to do otp; using the
files, and ldap modules. I'm thinking pass back the phone number for sms
from the ldap module, and place in a custom attribute. Ok on that bit
Authentication:
-	Assuming user has a phone number in ldap and is allowed to do
OTP, and if the request is new and, they authenticate, then we want to
generate an OTP and store it. I guess the generation  *could* be done in
exec or perl modules quite easily or using xlat, but not sure how to do
it using that. Then the user, otp failed attempts and maybe lock state
are stored, preferably in a sql table. If request isn't new, how many
tries have they already had?
-	The ordering is the tricky thing here - we need to authenticate
the user before an otp is generated, then challenge against that otp,
incrementing the failure count if the auth fails and then rechallenging
up to the failure limit and then setting auth-type if we pass the user.
I can't do unlang in the authentication phase and presumably the post
auth section may not be the place to do all these other checks and sql
bits. I can see why it's perhaps easier to do all this in exec or perl
modules and just return an exit code, but I'd like to see if it can all
be done within FR. Once the challenge fails, we need to prompt again
until the retry limit..
-	At some point we need to return control variables from the to
determine the account lock state and failed attempts if the user fails
and then revisits the NAS - from the SQL module, where I'd like to see
the session data stored. I guess this is possible but am not 100% on how
it's done.
		These are just ramblings. I'd forgive people for just
ignoring this post, but hopefully someone is interested enough to get
something like this working - it's a great cheap way of 2 factor
authentication and it'd be nice not to have to go and buy software to do
this. I know Thomas Glanzmann has already got this going with rlm_perl
and the smsotp module methods using a file based db, but I'd like to see
ldap authorization and variable passback (phone numbers/ email addresses
if using email OTP) filling an sql DB, or maybe rlm_cache (of which I've
no knowledge and I think is experimental?) for storage of variables.
Also some post auth sql storage of cumulative sessions, failed attempts
etc, if possible all using FR natively without perl/exec etc, which
wouldn't be too difficult.
		Am I dreaming or can this be done completely within FR
without using perl/exec/..?
		Cheers
		Andy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120914/fed2a259/attachment-0001.html>


More information about the Freeradius-Users mailing list