<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7638.1">
<TITLE>Ideas</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">Hi All,</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> I’ve been following Thomas</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">Glanzmann’s work on sms/email otp</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> with freeradius</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> and can see it could REALLY save our organisation a lot of money</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> (we’re using securid tokens exclusively ATM)</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">. I</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">’m trying to work out something to suit us and at the same time be helpful to others into making something useful, not that I’m a coder particularly.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">Can I just ask if anyone has any ideas about implementing a beginning process like this;</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">Authorization :</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">- </FONT></SPAN><SPAN LANG="en-gb"></SPAN><SPAN LANG="en-gb"></SPAN><SPAN LANG="en-gb"></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">Check</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">user is in an ldap group “allowed” to do otp;</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">using the</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">files,</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">and</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> ldap modules. I’m thinking pass back the phone number for sms from the ldap module</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">,</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"></FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">and place in</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">a custom attribute.</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">Ok on that bit</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">Authentication:</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">- </FONT></SPAN><SPAN LANG="en-gb"></SPAN><SPAN LANG="en-gb"></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">Assuming user has a phone number in ldap and is allowed to do OTP</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">, and if the request is new</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> and</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">, they authenticate, then we want to generate an OTP</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> and store it</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">. I guess th</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">e generation</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri"> *</FONT></SPAN><SPAN LANG="en-gb"><B><FONT FACE="Calibri">could</FONT></B></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">*</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> be done in exec or perl modules quite easily or using xlat, but not sure how to do it using that</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">.</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"></FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">T</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">hen the user, otp</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">failed attempts and maybe</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> lock state</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">are</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">stored, p</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">referably</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> in a sql</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">table</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">.</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">If request isn’t new, how many tries have they already had?</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">- </FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">T</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">he ordering is</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">the tricky</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> thing here</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">–</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> we</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">need to authenticate the user before an otp is generated, then challenge against that otp, incrementing the</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"></FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">failure</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">count if the auth fails</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">and then rechallenging up to the failure limit and then</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> setting auth-type if we pass the user. I can</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">’t do unlang in the auth</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">en</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">tication phase and presumably the post auth section may not be the place to</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">do all these other checks and sql bits. I can see why it</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">’s perhaps easier to do all this in exec or perl modules and just return an exit code</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">, but I’d like to see if it can all be done within FR.</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> Once the challenge fails, we need to prompt again until the retry limit..</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">- </FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">At some point we need to return control variables</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> from the</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> to determine the account lock state and failed attempts if the user fails and then revisits the NAS - from the SQL module</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">, where I’d like to see the session data stored</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">. I guess this is possible but am not 100% on how it</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">’s done.</FONT></SPAN></P>
<UL DIR=LTR><UL DIR=LTR>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">These are just ramblings. I’d forgive people for just ignoring this post, but hopefully someone is interested enough to get</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">something like this</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> working – it’s a great cheap way of 2 factor authentication</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> and it’d be nice not to have to go and buy software to do this. I know Thomas</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">Glanzmann</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">has already got this going with rlm_perl and the smsotp module methods</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> using a file based db</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">, but I’d like to see ldap authorization and variable passback</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">(phone numbers/ email addresses if using email OTP)</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">filling</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"></FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">a</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">n</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> sql DB</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">,</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">or maybe rlm_cache</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">(</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">of which I’ve no knowledge</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">and I think is experimental?) for storage of variables. Also some post auth sql storage of cumulative sessions, failed attempts etc</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">, if possible all using FR natively without perl/exec etc</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">, which wouldn’t be too difficult.</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">Am I dreaming</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> or can this be done completely within FR without using perl/exec/..?</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">Cheers</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">Andy</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
</UL></UL>
</BODY>
</HTML>