Hi All,

  I’ve been following Thomas Glanzmann’s work on sms/email otp with freeradius and can see it could REALLY save our organisation a lot of money (we’re using securid tokens exclusively ATM). I’m trying to work out something to suit us and at the same time be helpful to others into making something useful, not that I’m a coder particularly.

Can I just ask if anyone has any ideas about implementing a beginning process like this;

Authorization :

-       Check user is in an ldap group “allowed” to do otp; using the files, and ldap modules. I’m thinking pass back the phone number for sms from the ldap module, and place in a custom attribute. Ok on that bit

Authentication:

-       Assuming user has a phone number in ldap and is allowed to do OTP, and if the request is new and, they authenticate, then we want to generate an OTP and store it. I guess the generation  *could* be done in exec or perl modules quite easily or using xlat, but not sure how to do it using that. Then the user, otp failed attempts and maybe lock state are stored, preferably in a sql table. If request isn’t new, how many tries have they already had?

-       The ordering is the tricky thing here we need to authenticate the user before an otp is generated, then challenge against that otp, incrementing the failure count if the auth fails and then rechallenging up to the failure limit and then setting auth-type if we pass the user. I can’t do unlang in the authentication phase and presumably the post auth section may not be the place to do all these other checks and sql bits. I can see why it’s perhaps easier to do all this in exec or perl modules and just return an exit code, but I’d like to see if it can all be done within FR. Once the challenge fails, we need to prompt again until the retry limit..

-       At some point we need to return control variables from the to determine the account lock state and failed attempts if the user fails and then revisits the NAS - from the SQL module, where I’d like to see the session data stored. I guess this is possible but am not 100% on how it’s done.