Hi Alan. Nice to get an answer from you. The First factor is password stored in DB. Second is SMS. No, it is not for wifi; it is for VPN. As far as I understand, Cisco ASA sends the request to the radius with the final data: login, password, OTP-code. The only possible way to auth with the OTP is to generate it via phone application like Google Authenticator. My question is, does it possible to send an SMS instead of using the application. Again, I don't ask the ready solution. I try to figure out the process at this point. пт, 20 дек. 2019 г. в 13:40, Alan DeKok <aland@deployingradius.com>:
On Dec 20, 2019, at 6:53 AM, Anton Kiryushkin <swood@fotofor.biz> wrote:
I want to configure the second authorisation factor with EAP-type, and
md5
hashed password saved in MySQL. I found several modules and services like MultiOTP and Smsotp, but I can't understand how to provide the SMS before the authorisation or how to ask FreeRadius to wait for the process sends SMS?
You need to configure a module to send the SMS. How that works depends on how the SMS is sent. And only you know that.
Could you please explain this to me?
What kind of 2 factor auth do you want to do?
To be honest, the only thing that's going to work is TTLS + PAP. Since passwords are stored in MD5 format in the DB, nothing else will work.
But... if this is for WiFi, users will be *very* unhappy if they have to enter a new OTP every time they switch access points. That's just not going to work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Best regards, Anton Kiryushkin