Thanks a lot Alexander. I'm familiar with python. So rlm_python might a good choice for me. The main thing I want to do is to give remote vpn client a two-factor authentication. Since freeradius, pam and all opensource otp solution are available, I think free two-factor authentication is doable instead the expensive RSA solution. So the first authentication is against our AD. If successful, the system should generate one time password and send it to user through SMS or the other ways. The user then put otp into the 2nd challenge prompt. Freeradius authenticate this otp against otp server.
I already tried using pam to authenticate against AD or OTP. I was trying to use PAM stack to make this happen. But it's hard to put some scripts to send password to user between the two PAM modules. So I turned to FreeRadius to see if it can have some ways to do this.
So if I use rlm_python, I can utilize some existing executable files (like ldapsearch, ldapcompare, otp_auth) to directly authenticate against LDAP and OTP. To send OTP to user is much easier to do in python too. Am I correct?
Thanks for your help.
Lou
madmatrix <[hidden email]> wrote:I *strongly* recommend you use rlm_perl/rlm_python. I found it very
>
> What I'm wanting to do is integrate LDAP and OTP. The OTP I want to
> use doesn't have interface to radius. So I'm planning to get that OTP
> source code into a new FR module. For LDAP part, I just want to
> include the existing module to the new one. Is this doable? I guess I
> may need implant the LDAP module code into the new module too.
>
straight forward to quickly implement rfc2289 with eap-gtc.I think you might find yourself having to either:
> The whole authentication process is: 1. LDAP authentication. 2. If
> successful, do something and request 2nd OTP authencation. If not, reject
> the authentication.
>
* combined password of form "<ldap password> <otp challenge response>"
* two separate RADIUS authentications, say use PAM to first do a
regular RADIUS password check and also require a second check to
another RADIUS server (a FreeRADIUS virtual server for example)
that then does the OTP
As you have not described what the problem is (EAP for 802.1X, web
portal, PAM backed authentication, etc?) it is hard to give you advice.If you use rlm_perl/rlm_python, you will find the job much easier, fast
> From what I read here, the new module must be the way to do this. But
> is there any easy way to integrate existing module like LDAP into the
> new module?
>
on the prototyping front and maintenance will be a lot less trouble (ie,
no need to recompile things as an example).
Cheers
--
Alexander Clouter
.sigmonster says: Don't feed the bats tonight.
-
If you reply to this email, your message will be added to the discussion below:http://freeradius.1045715.n5.nabble.com/chain-two-authentication-modules-together-tp4499333p4499878.htmlTo unsubscribe from chain two authentication modules together, click here.