Norbert Wegener wrote:
The box I am talking about is a Juniper vpn gateway. There they have Custom Radius Authentication Rules and in the configuration menu there is: If received packet Type :Access Challenge Take action: Show Next Token page
That's pretty common.
Now it seems to me, that after providing the correct login/(static) password combination, not an Access-Accept must be sent, but instead an Access-Challenge.
Yes.
Maybe, this can be done using the otpd, but up to now I am searching on how to realise this. Anyone any idea?
The rlm_otp module is intended to support specific token cards. If you need another kind of token-based authentication, the best bet is to roll your own. See rlm_example for a simple C challenge-response authentication module. You may also need a consistent State attribute. That code is in rlm_eap, but should probably be pulled into src/main, because other modules may need it, too. Alan DeKok.