Using freeRadius with OTP and gateway
Hi everyone, I'm using Freeradius 2.1.12 on a server Debian. I have an another server Debian with Coovachilli (captive portal) and an Access Point based on Ruckus OS. When my users connected on the AP, a web page is coming with a formular to connect. Then the user enter is information (username and password) and Coovachilli made the authentication on the radius and this is working fine. Now I want to make something different, when the user connected on the AP, I want that he received a little formular, then he need to enter a username (not know on the radius) and i want the radius to create a One Time Password and send it to the user (on an another webpage). And the user send this OTP via SMS to a smsm gateway to finish the authentication, is that possible, and if yes, could someone explain to me how I can make it ? For the gateway sms I am using SMSLib (java library) on the same server as freeradius. Best regards and sorry for my bad english (from switzerland). -- Mercier Valentin
Hi Mercier What it sounds like you are trying to do, needs more than just the radius server to do it. One of the features I'm writing for the Grase Hotspot (which uses Coova Chilli and Freeradius), is the ability for the user to create an account based on their mobile number. It goes a bit like this. User is presented with a form that allows them to enter a "username" which has to be their mobile number. The form is submitted to a php script, which then creates a user in the radius tables (SQL) with the username as their mobile number, and generates them a random password. The same php script then sends that random password via a sms gateway to the users mobile phone (confirming that the number is correct and the user has possession of it). The user is then presented with a normal login form, which they can use the mobile number, and the password they received as a sms, to login which is handled via normal Coova Chilli and Radius. What you could do, is again, using a php script, generate the OTP and create the user in a special temporary table with the OTP and a password (maybe the user sets the password as well). Then, the user sends the OTP to the special number, and waits. When the SMS arrives at the special number, it would need to trigger a script somehow (not sure how you receive your SMS as all the gateways I use are for sending only), which would then confirm the OTP from the temporary table, if it is valid then we create the user with the password specified in the table, and then the user can login. I'm assuming though, what you want to do, sounds like 2 different things. Firstly you want the Radius server to create a user when there is no user known. For this, you are going to need a script that does it. I prefer an external script, but you could use rlm_perl or similar to do it. The seconds half of what you are doing, sounds like using OTP's for the user. There are a few ways to do this, but normally the user ether has an application (i.e. smartphone, or security token dongle thing) that is pre-authorised with codes to assist with generating the time based OTP's. Or, a list of use once passwords that the server also has, to be used in order. Or, as most banks around here do, sending a sms to the authorised phone number of the user, so the user uses that instead of their normal password. I hope that is clear. You probably need to do 2 different things to get the solution you want. Tim On 07/03/12 22:56, Mercier Valentin wrote:
Hi everyone,
I'm using Freeradius 2.1.12 on a server Debian. I have an another server Debian with Coovachilli (captive portal) and an Access Point based on Ruckus OS. When my users connected on the AP, a web page is coming with a formular to connect. Then the user enter is information (username and password) and Coovachilli made the authentication on the radius and this is working fine.
Now I want to make something different, when the user connected on the AP, I want that he received a little formular, then he need to enter a username (not know on the radius) and i want the radius to create a One Time Password and send it to the user (on an another webpage). And the user send this OTP via SMS to a smsm gateway to finish the authentication, is that possible, and if yes, could someone explain to me how I can make it ?
For the gateway sms I am using SMSLib (java library) on the *same* server as freeradius.
Best regards and sorry for my bad english (from switzerland). -- Mercier Valentin
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello Mercier, the interesting part about your idea is, that the user sends the SMS to authenticate, this avoids that you will have to pay for the SMS. Most solutions send the SMS with the OTP to the user, so that you - the provider - will have to pay for the SMS sending. Nevertheless you might take a look at LinOTP, which does one time password authentication and come with a freeradius module, so that integration in your scenario could be rather simple. Also in this case the RADIUS server does not know the users, but the auth request (with user and OTP) is forwarded to the linotp daemon, which in turn is able to verify the username and the provided OTP. The users can be fetched from any flat file and/or LDAP and/or SQL database. Only drawback for your case is the thing with "who sends the sms". Kind regards Cornelius Am 07.03.2012 13:56, schrieb Mercier Valentin:
Hi everyone,
I'm using Freeradius 2.1.12 on a server Debian. I have an another server Debian with Coovachilli (captive portal) and an Access Point based on Ruckus OS. When my users connected on the AP, a web page is coming with a formular to connect. Then the user enter is information (username and password) and Coovachilli made the authentication on the radius and this is working fine.
Now I want to make something different, when the user connected on the AP, I want that he received a little formular, then he need to enter a username (not know on the radius) and i want the radius to create a One Time Password and send it to the user (on an another webpage). And the user send this OTP via SMS to a smsm gateway to finish the authentication, is that possible, and if yes, could someone explain to me how I can make it ?
For the gateway sms I am using SMSLib (java library) on the *same* server as freeradius.
Best regards and sorry for my bad english (from switzerland). -- Mercier Valentin
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Cornelius and Tim, First I want to apologize for my response pending, lot of things to do. Then thank you so much for your advices, but for now we think that the OTP system is not good for our implementation. But with some research we made, we have an another question. We want to enable on free radius the Access Request --> Access Challenge --> Access Request --> Access Accept / Reject, with CHAP, but we don't know how to do this, and if you can help us it would be great. Because I read that usually with this kind of implementation the Access Challenge contain a "message" with which the client need to calculate the response. And for now that enough for us. Thanks in advance, best regards -- Mercier Valentin Le jeudi, 8 mars 2012 à 08:22, Cornelius Kölbel a écrit :
Hello Mercier,
the interesting part about your idea is, that the user sends the SMS to authenticate, this avoids that you will have to pay for the SMS. Most solutions send the SMS with the OTP to the user, so that you - the provider - will have to pay for the SMS sending. Nevertheless you might take a look at LinOTP, which does one time password authentication and come with a freeradius module, so that integration in your scenario could be rather simple. Also in this case the RADIUS server does not know the users, but the auth request (with user and OTP) is forwarded to the linotp daemon, which in turn is able to verify the username and the provided OTP. The users can be fetched from any flat file and/or LDAP and/or SQL database. Only drawback for your case is the thing with "who sends the sms".
Kind regards Cornelius
Hi everyone,
I'm using Freeradius 2.1.12 on a server Debian. I have an another server Debian with Coovachilli (captive portal) and an Access Point based on Ruckus OS. When my users connected on the AP, a web page is coming with a formular to connect. Then the user enter is information (username and password) and Coovachilli made the authentication on the radius and this is working fine.
Now I want to make something different, when the user connected on the AP, I want that he received a little formular, then he need to enter a username (not know on the radius) and i want the radius to create a One Time Password and send it to the user (on an another webpage). And the user send this OTP via SMS to a smsm gateway to finish the authentication, is that possible, and if yes, could someone explain to me how I can make it ?
For the gateway sms I am using SMSLib (java library) on the same server as freeradius.
Best regards and sorry for my bad english (from switzerland). -- Mercier Valentin
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Am 07.03.2012 13:56, schrieb Mercier Valentin: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mercier Valentin wrote:
But with some research we made, we have an another question. We want to enable on free radius the Access Request --> Access Challenge --> Access Request --> Access Accept / Reject, with CHAP, but we don't know how to do this, and if you can help us it would be great.
You don't enable it. The NAS is responsible for sending RADIUS packets, and originating CHAP requests. CHAP doesn't use a RADIUS challenge-response, despite it's name.
Because I read that usually with this kind of implementation the Access Challenge contain a "message" with which the client need to calculate the response. And for now that enough for us.
CHAP doesn't work that way. The NAS sends a challenge to the client, and receives a response. It then sends challenge and response to the RADIUS server. If you want challenge-response controlled by the RADIUS server, use EAP-MD5. Alan DeKok.
You don't enable it. The NAS is responsible for sending RADIUS packets, and originating CHAP requests. CHAP doesn't use a RADIUS challenge-response, despite it's name. Ho ok, so I think I haven't good understand CHAP, my bad, sorry. CHAP doesn't work that way. The NAS sends a challenge to the client, and receives a response. It then sends challenge and response to the RADIUS server.
If you want challenge-response controlled by the RADIUS server, use EAP-MD5. And you think with EAP-MD5, I can prompt a "challenge" or number to the client and I can calculate the response, and then I can send an another Radius request to the server for the final authentication ?
Thanks for your answer Alan. Best regards -- Mercier Valentin Le mercredi, 14 mars 2012 à 20:46, Alan DeKok a écrit :
Mercier Valentin wrote:
But with some research we made, we have an another question. We want to enable on free radius the Access Request --> Access Challenge --> Access Request --> Access Accept / Reject, with CHAP, but we don't know how to do this, and if you can help us it would be great.
You don't enable it. The NAS is responsible for sending RADIUS packets, and originating CHAP requests. CHAP doesn't use a RADIUS challenge-response, despite it's name.
Because I read that usually with this kind of implementation the Access Challenge contain a "message" with which the client need to calculate the response. And for now that enough for us.
CHAP doesn't work that way. The NAS sends a challenge to the client, and receives a response. It then sends challenge and response to the RADIUS server.
If you want challenge-response controlled by the RADIUS server, use EAP-MD5.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Alan DeKok -
Cornelius Kölbel -
Mercier Valentin -
Tim White