mideye authentication
One of our customers uses an authentication service from Mideye, which is described this way: The end-user requests access to a protected application, and is prompted for a user name and password. If the correct credentials have been provided, a one- time password (OTP) is presented on the user's mobile phone. The user is requested to enter the OTP, and if the correct OTP is returned, access is granted. http://www.mideye.com/index.php3?bredd=268.5 It should be simple to generate a one time password, throw it into a database,send it via sms and make it available for the next time, the user requests access. The problem here seems to be, that after a first successfull authentication another one with only a new password but the already entered username has to be done. Can this be realised with an actual freeradius? If so: Where can I find documentation about it? Norbert Wegener
otp.conf in raddb directory. Ivan Kalik Kalik Informatika ISP Dana 29/2/2008, "Norbert Wegener" <norbert.wegener@siemens.com> piše:
One of our customers uses an authentication service from Mideye, which is described this way:
The end-user requests access to a protected application, and is prompted for a user name and password. If the correct credentials have been provided, a one- time password (OTP) is presented on the user's mobile phone. The user is requested to enter the OTP, and if the correct OTP is returned, access is granted.
http://www.mideye.com/index.php3?bredd=268.5
It should be simple to generate a one time password, throw it into a database,send it via sms and make it available for the next time, the user requests access. The problem here seems to be, that after a first successfull authentication another one with only a new password but the already entered username has to be done. Can this be realised with an actual freeradius? If so: Where can I find documentation about it?
Norbert Wegener
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Norbert Wegener wrote:
It should be simple to generate a one time password, throw it into a database,send it via sms and make it available for the next time, the user requests access. The problem here seems to be, that after a first successfull authentication another one with only a new password but the already entered username has to be done. Can this be realised with an actual freeradius? If so: Where can I find documentation about it?
You first need to define what you mean by "successful authentication". Is it sending an Access-Accept? Or receiving an Accounting start for that user? For this kind of special requirements, I would suggest writing a C module that implements the logic. It should be very small, even if it stores the passwords in SQL. You could do much of the logic in "unlang". The only part I'm not sure about is the insert/query/delete from a database. Alan DeKok.
Alan DeKok wrote:
Norbert Wegener wrote:
It should be simple to generate a one time password, throw it into a database,send it via sms and make it available for the next time, the user requests access. The problem here seems to be, that after a first successfull authentication another one with only a new password but the already entered username has to be done. Can this be realised with an actual freeradius? If so: Where can I find documentation about it?
You first need to define what you mean by "successful authentication". Is it sending an Access-Accept? Or receiving an Accounting start for that user?
For this kind of special requirements, I would suggest writing a C module that implements the logic. It should be very small, even if it stores the passwords in SQL.
Would otpd, which is mentioned in otp.conf do that job? Up to now I had not time to take a look at it. Norbert Wegener
You could do much of the logic in "unlang". The only part I'm not sure about is the insert/query/delete from a database.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Norbert Wegener wrote:
Alan DeKok wrote:
Norbert Wegener wrote:
It should be simple to generate a one time password, throw it into a database,send it via sms and make it available for the next time, the user requests access. The problem here seems to be, that after a first successfull authentication another one with only a new password but the already entered username has to be done. Can this be realised with an actual freeradius? If so: Where can I find documentation about it?
You first need to define what you mean by "successful authentication". Is it sending an Access-Accept? Or receiving an Accounting start for that user? The box I am talking about is a Juniper vpn gateway. There they have Custom Radius Authentication Rules and in the configuration menu there is: If received packet Type :Access Challenge Take action: Show Next Token page
Now it seems to me, that after providing the correct login/(static) password combination, not an Access-Accept must be sent, but instead an Access-Challenge. Maybe, this can be done using the otpd, but up to now I am searching on how to realise this. Anyone any idea? Norbert Wegener
Norbert Wegener wrote:
The box I am talking about is a Juniper vpn gateway. There they have Custom Radius Authentication Rules and in the configuration menu there is: If received packet Type :Access Challenge Take action: Show Next Token page
That's pretty common.
Now it seems to me, that after providing the correct login/(static) password combination, not an Access-Accept must be sent, but instead an Access-Challenge.
Yes.
Maybe, this can be done using the otpd, but up to now I am searching on how to realise this. Anyone any idea?
The rlm_otp module is intended to support specific token cards. If you need another kind of token-based authentication, the best bet is to roll your own. See rlm_example for a simple C challenge-response authentication module. You may also need a consistent State attribute. That code is in rlm_eap, but should probably be pulled into src/main, because other modules may need it, too. Alan DeKok.
..
See rlm_example for a simple C challenge-response authentication module. You may also need a consistent State attribute. That code is in rlm_eap, but should probably be pulled into src/main, because other modules may need it, too.
Thanks, that was the missing link. Norbert Wegener
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Ivan Kalik -
Norbert Wegener