Thats seems like a way to go. But your right... Its very hard to find documentation on this topic. Changed it and now It seems that update check I checket way before th script. ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing SHA-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop ++? if (updated) ? Evaluating (updated) -> FALSE ++? if (updated) -> FALSE Found Auth-Type = otp # Executing group from file /etc/raddb/sites-enabled/default +- entering group otp {...} [pap] login attempt with password "test2" [pap] Using SHA1 encryption. [pap] User authenticated successfully ++[pap] returns ok [OTP] expand: %{User-Name} -> test2 [OTP] expand: %{User-Password} -> test2 [OTP] expand: %{reply:Secret} -> 891a79d80c9f1cd2 [OTP] expand: %{reply:Pin} -> 0201 [OTP] expand: %{reply:Offset} -> 1 Exec-Program output: Reply-Message += "Enter SMS", State += "12536", Exec-Program-Wait: value-pairs: Reply-Message += "Enter SMS", State += "12536", Exec-Program: returned: 9 ++[OTP] returns updated Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test2 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 145 to 172.31.2.20 port 56003 Reply-Message += "Enter SMS" State += 0x3132353336 Waking up in 4.9 seconds. Cleaning up request 0 ID 145 with timestamp +1 Ready to process requests. Med venlig hilsen | Best regards Thomas Raabo Senior Network Engineer CCIE #33466 _____________________________________________ tr@zitcom.dk | Direkte: +45 69 10 60 18 | Tlf.: +45 70 23 55 66 -----Oprindelig meddelelse----- Fra: freeradius-users-bounces+tr=zitcom.dk@lists.freeradius.org [mailto:freeradius-users-bounces+tr=zitcom.dk@lists.freeradius.org] På vegne af Phil Mayers Sendt: 11. oktober 2012 10:56 Til: freeradius-users@lists.freeradius.org Emne: Re: EXEC Access-challenge On 10/11/2012 09:23 AM, Thomas Raabo - Zitcom A/S wrote:
I´am trying to create a php OTP script with challenge reponse.
echo "Reply-Message += \"Enter SMS\",\n";
echo "State += \"$random\",\n";
echo "Response-Packet-Type = \"Access-Challenge\",\n";
I think that needs to be a control item, not a reply item, and you can't set reply & control items from an "exec" script at the same time. Therefore, I'm not sure you can do that with an exec script alone. See: http://lists.freeradius.org/pipermail/freeradius-users/2012-September/062606... (ignore the non-technical bits, the poster was being... combative) ...and maybe: http://lists.freeradius.org/pipermail/freeradius-users/2012-July/061953.html I think something like the following might be what you need: authorize { ... myexec if (updated) { update control { Response-Packet-Type := Access-Challenge } handled } ... } ...and make your "exec" script return "updated" (9) The server isn't really rigged for scripts/unlang sending Access-Challenge, so this is not a well-explored area. If someone who is using this could write a wiki article detailing the considerations, that would be great. It seems to be a common requirement. I'm guessing the Google "2-step" auth and imitators have rekindled interest in OTP? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html