On Dec 30, 2017, at 4:41 AM, Mathias Sundman <mathias@nilings.se> wrote:
Just in case someone else is searching for the same problem, I’ve cleaned up the logic to make it work with multiple virtual servers where I manually force proxying to a specific Realm, instead of relying on the suffix/realm module to enable the proxying. This is now what I ended up with:
Updating a page on the Wiki would be nice, too. :)
authorize { if (!State) { ldap if (ok) { update control { Auth-Type := LDAP }
That shouldn't be necessary. i.e. if you have a standards-compliant LDAP server, it can return the "known good" password, and the PAP module can check the password.
authenticate { Auth-Type LDAP {
It's probably best to re-name this to something descriptive, like "two-factor"
ldap
This should probably be the "pap" module.
if (ok) { update session-state { Tmp-Integer-0 := "%{randstr:n}" }
Why are you updating the session-state here? That's not the State attribute. You should be updating the state attribute in the reply.
update reply { Reply-Message := "Please enter OTP" } challenge } } }
pre-proxy { attr_filter.pre-proxy }
If you believe the logic is still flawed in any way, please let me know, otherwise I thank you again Alan for the quick reply and consider the problem solved.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html