On 9 Sep 2012, at 05:27, Thomas Glanzmann <thomas@glanzmann.de> wrote:
Hello Arran,
What is the server missing as of 2.2.0 that requires the use of rlm_perl?
I'm not aware of the FreeRadius internals but you can simply look at the FreeRadius Module rlm_smsotp. This is what happens.
- User authenticates with PAP - The server answer will be of access challenge type and includes two additional fields:
- State: Random number (FreeRadius has to keep it an associate that with the generated otp)
- Prompt
At the same time a otp random number is also saved and associated with the state and the user and sent to the user for example using a SMS but it could of course use any other otp method for example with preshared key.
- The client answeres and provide the state and otp in the 'passowrd' field. The server than has to verify:
- Is the state corresponding to user name and otp?
- Is the request still valid (timeout)?
That's basically it.
Ok
On the surface it seems all you're missing is random string generation?
If it can't do that, than yes for the state and the otp value.
With 3.0 you can define policies which have 'methods' that map to the different sections of the server, so you could write the whole thing as a virtual module.
If you walk me through it, I would like to try that.
Just name your policies using <virtual_module>.<section> {}, then use instances of the always module to set the return code :) For storing the state take a look at the new rlm_cache module, it'd be perfect for this (so long as you don't need state to be shared between servers, or persist after restarts). I'll look at adding a special xlat method to generate random strings. -Arran