Use 2 modules to auth together.
luckydog xf
luckydogxf at gmail.com
Mon Nov 26 08:42:02 CET 2018
hi, all,
Any way to handle a second access request?
Our user is in AD and VPN will do an MSCHAP authentication first and
filter property of User-Name from access request, then call an
access-challenge to verify against the other module whose logic is as
simple as starting a http request via http://XXX/check/username=
<http://xxx/check/username=><USER-NAME>&OTP=<xxxxxx>, if return 200, it's
ok.
Basically, I want to auth a single login against two modules, only both
of them are successful, the auth could be deemed as OK.
# site-enabled/default
authorize {
if (!State) {
# MS-CHAP has no User-Password, so it's true.
if (!User-Password ) {
# If !State and User-Password is null, then goes to
MS-CHAP:
update {
&control:Auth-Type := MS-CHAP
}
}
else {
reject
}
}
else {
# The 2nd auth module.
# I DON'T KNOW HOW TO WRITE.
}
}
}
# ### authentication #####
authentication {
Auth-Type MS-CHAP {
mschap
if (ok) {
update reply {
# Create a random State attribute:
State := "%{randstr:XXXXXXXXXXXXX}"
Reply-Message := "Please type your OTP:"
}
# Return Access-Challenge, goes to the 2nd auth.
challenge
}
}
}
Thanks a lot.
More information about the Freeradius-Users
mailing list