Use 2 modules to auth together.

luckydog xf luckydogxf at
Tue Nov 27 03:37:40 CET 2018

Find a challenge-support Device and test it out. Let me answer it.

1. Not every NAS supports Access-Challenge, they may just ignore it
and treat it as access-reject. According to my test.

2. my way of raise challeng is correct, it's built-in way of FreeRADIUS.

3. else part seesm correct, too, though I haven't hanle my own auth
method, it's just a fake one.

Thank Alan again.

On Nov 26, 2018, at 12:42 AM, luckydog xf <luckydogxf at

Thank, Alan, you enlighten me.

Turns out  NAS( my VPN) does not support Access-Challenge.  Googled and
found  that Challenge seems to be a speical access-request  packet with the
Code field set to 11. So can I make the conclusion that  it would send an
access-quest again?  in other words, start a new authentication process
like another normal request with an exception that State attribute exists.

Let me suppose my VPN supports Access-Challenge, so my configuation is
something like:

authorize {
      # The first auth does not have any State attribute.
      if (!State) {
                # MS-CHAP has no User-Password, so it's true.
                if (!User-Password )  {
                        # If !State and User-Password is null, then
goes to MS-CHAP:
                        update  {
                                &control:Auth-Type := MS-CHAP

              else { reject }

      # Make sure it does not contain any other attributes except State.

     else {

            update {

             # IS THIS PART CORRECT ? I think so, as a new request is
issued by challage, so it would start over from top to buttom to walk
throught the entire process.

                &control:Auth-Type := MY_OWN_OTP_AUTH



authentication {

      Auth-Type MS-CHAP {
               if (ok) {
                       update reply {
                               # Create a random State attribute:
                               State := "%{randstr:XXXXXXXXXXXXX}"
                               Reply-Message := "Please type your OTP:"
                       # Return Access-Challenge, goes to the 2nd auth.

                       # IS IT the correct way to raise a challange?


 Please help me to take a look at  configuration above, two questions:

1. Is else part correct?  which will use my own python auth module
2. Is it correct to raise a challenge using 'challenge' filter of

Thanks again.

On Mon, Nov 26, 2018 at 8:10 PM Alan DeKok <aland at

>* On Nov 26, 2018, at 2:42 AM, luckydog xf <luckydogxf at <>> wrote:
*>* >   Our user is in AD and VPN will do an MSCHAP authentication first and
*>* > filter property of  User-Name from access request,  then call an
*>* > access-challenge to verify against  the other module whose logic is as
*>* > simple as starting a http request via http://XXX/check/username=
*>* > <http://xxx/check/username=
<http://xxx/check/username=>><USER-NAME>&OTP=<xxxxxx>, if return 200,
*>* it's
*>* > ok.
*>>*   That's really just more authorization.
*>>* >   Basically, I want to auth a single login against two modules, only both
*>* > of them are successful, the auth could be deemed as OK.
*>>*    That's possible, subject to certain caveats.
*>>* > # ### authentication #####
*>* > authentication {
*>* >       Auth-Type MS-CHAP {
*>* >                mschap
*>* >                if (ok) {
*>* >                        update reply {
*>* >                                # Create a random State attribute:
*>* >                                State := "%{randstr:XXXXXXXXXXXXX}"
*>* >                                Reply-Message := "Please type your OTP:"
*>* >                        }
*>* >                        # Return Access-Challenge, goes to the 2nd auth.
*>* >                        challenge
*>>*   That's good, but it likely won't work due to the NAS.  Doing OTP like
*>* that requires support from the NAS.  Does the NAS support doing MS-CHAP and
*>* then receiving an Access-Challenge?
*>>*   If it does, then your next step is to write down what you want to
*>* happen, like this:
*>>* 1) packet 1 contains MS-CHAP
*>* 2) it authenticates agains MS-CHAP
*>* 3) if MS-CHAP is successful, it returns a State, challenge, and reply
*>* message
*>* 4) when the next packet comes in with a state attribute, authenticate the
*>* OTP
*>>*   Note that the packet in step 4 *should not* contain any MS-CHAP
*>* attributes.  It should just contain the response to the OTP.
*>>*   So your freeradius configuration is:
*>>* 1) run MS-CHAP like normal
*>* 2) do state / reply-message / challenge in "Auth-Type MS-CHAP"
*>>*   As a *separate* item:
*>>* 3) if packet contains State
*>* 4) do OTP verification
*>>*   The only thing tying the two packets together is the State attribute.
*>* They are otherwise completely independent.
*>>*   Alan DeKok.
*>>>>* -
*>* List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list