Use 2 modules to auth together.

Alan DeKok aland at
Mon Nov 26 13:02:33 CET 2018

On Nov 26, 2018, at 2:42 AM, luckydog xf <luckydogxf at> wrote:
>   Our user is in AD and VPN will do an MSCHAP authentication first and
> filter property of  User-Name from access request,  then call an
> access-challenge to verify against  the other module whose logic is as
> simple as starting a http request via http://XXX/check/username=
> <http://xxx/check/username=><USER-NAME>&OTP=<xxxxxx>, if return 200, it's
> ok.

  That's really just more authorization.

>   Basically, I want to auth a single login against two modules, only both
> of them are successful, the auth could be deemed as OK.

   That's possible, subject to certain caveats.

> # ### authentication #####
> authentication {
>       Auth-Type MS-CHAP {
>                mschap
>                if (ok) {
>                        update reply {
>                                # Create a random State attribute:
>                                State := "%{randstr:XXXXXXXXXXXXX}"
>                                Reply-Message := "Please type your OTP:"
>                        }
>                        # Return Access-Challenge, goes to the 2nd auth.
>                        challenge

  That's good, but it likely won't work due to the NAS.  Doing OTP like that requires support from the NAS.  Does the NAS support doing MS-CHAP and then receiving an Access-Challenge?

  If it does, then your next step is to write down what you want to happen, like this:

1) packet 1 contains MS-CHAP
2) it authenticates agains MS-CHAP
3) if MS-CHAP is successful, it returns a State, challenge, and reply message
4) when the next packet comes in with a state attribute, authenticate the OTP

  Note that the packet in step 4 *should not* contain any MS-CHAP attributes.  It should just contain the response to the OTP.

  So your freeradius configuration is:

1) run MS-CHAP like normal
2) do state / reply-message / challenge in "Auth-Type MS-CHAP"

  As a *separate* item:

3) if packet contains State
4) do OTP verification

  The only thing tying the two packets together is the State attribute.  They are otherwise completely independent.

  Alan DeKok.

More information about the Freeradius-Users mailing list