Thomas Glanzmann wrote:
I have a propiertary radius client which I want to authenticate against freeradius the following way:
- User types is username: directory\Administrator password:secret - Freeradius authenticates against active directory.
Which authentication method? This matters a lot.
This already works
- From the documentation of the propiertary radius client:
After authenticating to RADIUS, you may get another prompt if the RADIUS server responded with a supported Access Challenge. Full generic RADIUS challenge/response is not supported, but a limited access challenge for a string token code is supported.
What does that mean?
- So now I want freeradius to send 'Access Challenge' and send a sms to the user (for that purpose I wrote a perl daemon which listens on a unix socket in order to talk to smsotp freeradius module)[1]. However nothing comes in.
What does that mean? "nothing comes in" ???
authenticate { mschap Auth-Type smsotp { mschap smsotp }
I really doubt that will work.
- Is it possible to do a mschapv2 authentication followed by Access challenge in order to send out a sms with a one time password by configuring freeradius or do I need to code?
No. It's impossible. MS-CHAP is an authentication method with pre-defined meaning, user interaction, and data flow. Adding something to it is impossible.
Where do I find pointers? I read the source code of the smsotp and the rlm_example module, I get the basic idea that first the otp is generated and than it is checked, however I don't get how to configure freeradius to choose the codepath. I also don't get if it is possible to stack authentication methods in freeradius.
Sometimes, yes. It depends on the authentication method. Alan DeKok.