Hi, I am trying to setup a biometric authentication using freeradius, first the user gives his/her password and then uses fingerprint information. On positive matches the user is authenticated. Can it be implemented? Is there literature that I need to have a look at? Thanks in advance Kenneth ____________________________________________________________________________________ Need a quick answer? Get one in minutes from people who know. Ask your question on www.Answers.yahoo.com
Kenneth Penza wrote:
I am trying to setup a biometric authentication using freeradius, first the user gives his/her password and then uses fingerprint information. On positive matches the user is authenticated.
Can it be implemented? Is there literature that I need to have a look at?
Almost anything can be implemented. The question is how does the fingerprint information get to the RADIUS server? And what does the RADIUS server do with it? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hi there, i am trying to setup a time based one time password with the freeradius. (no challange response !!) i have a mobile phone that produces a token. the token is a md5-hash of a shared-secret and the actual time in ms. now i want to configure the freeradius server the following way: the user has to enter his uername and the produced token from the mobile phone. this information is sent to the freeradius-server. the server is connected to a ldap-database and looks up if the user exists. if the user exists, he gets the shared-secret from the ldap. now the freeradius has to calculate some tokens (cause time on server and mobile are not the same). md5 of the shared secret from the user from ldap and actual time. after that he has to compare the calculated tokens with the token that was provided by the user. on positiv matches the user is authenticated. Can it be implemented? Is there literature that I need to have a look at? Is there already a plugin that supports time based one time passwords? Can anyone help me with setting up this scenario??? best regards peter urban _________________________________________________________________ Sie suchen E-Mails, Dokumente oder Fotos? Die neue MSN Suche Toolbar mit Windows-Desktopsuche liefert in sekundenschnelle Ergebnisse. Jetzt neu! http://desktop.msn.de/ Jetzt gratis downloaden!
Peter Urban wrote:
i have a mobile phone that produces a token. the token is a md5-hash of a shared-secret and the actual time in ms.
Is this a standardized method? If so, what's the name?
now the freeradius has to calculate some tokens (cause time on server and mobile are not the same). md5 of the shared secret from the user from ldap and actual time.
Write a program to do this, and run the program when a packet is received. See rlm_exec.
Can it be implemented? Is there literature that I need to have a look at? Is there already a plugin that supports time based one time passwords?
There's no existing plugin. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
hi alan, rlm_exec is a very good hint. i will have a look.
Is this a standardized method? If so, what's the name? no its not standardized. it is similar to the RSA securID. i am developping this program/system for my thesis. ;)
best regards and thanks for the very fast response.
From: Alan DeKok <aland@deployingradius.com> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Help with Freeradius and implementing time basedOne-Time-Passwords Date: Sun, 10 Dec 2006 11:19:42 -0800
Peter Urban wrote:
i have a mobile phone that produces a token. the token is a md5-hash of a shared-secret and the actual time in ms.
Is this a standardized method? If so, what's the name?
now the freeradius has to calculate some tokens (cause time on server and mobile are not the same). md5 of the shared secret from the user from ldap and actual time.
Write a program to do this, and run the program when a packet is received. See rlm_exec.
Can it be implemented? Is there literature that I need to have a look at? Is there already a plugin that supports time based one time passwords?
There's no existing plugin.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Sie suchen E-Mails, Dokumente oder Fotos? Die neue MSN Suche Toolbar mit Windows-Desktopsuche liefert in sekundenschnelle Ergebnisse. Jetzt neu! http://desktop.msn.de/ Jetzt gratis downloaden!
I have implemented this exact solution with a Polish application (I'm based in Poland). And it worked. Although mine was using mysql for the user storage, but ldap was also an option. Mine runs with a Java application on the mobile phone, which I've set to allow 60 second timings for the password validity. The application that is providing the one-time password functionality should integrate with the radius server without any major config changes. You fail to mention the application your trying to use? Ian Walker On 09/12/06, Peter Urban <jebogi2004@hotmail.com> wrote:
Hi there,
i am trying to setup a time based one time password with the freeradius. (no challange response !!)
i have a mobile phone that produces a token. the token is a md5-hash of a shared-secret and the actual time in ms.
now i want to configure the freeradius server the following way:
the user has to enter his uername and the produced token from the mobile phone. this information is sent to the freeradius-server. the server is connected to a ldap-database and looks up if the user exists. if the user exists, he gets the shared-secret from the ldap.
now the freeradius has to calculate some tokens (cause time on server and mobile are not the same). md5 of the shared secret from the user from ldap and actual time.
after that he has to compare the calculated tokens with the token that was provided by the user.
on positiv matches the user is authenticated.
Can it be implemented? Is there literature that I need to have a look at? Is there already a plugin that supports time based one time passwords?
Can anyone help me with setting up this scenario???
best regards peter urban
_________________________________________________________________ Sie suchen E-Mails, Dokumente oder Fotos? Die neue MSN Suche Toolbar mit Windows-Desktopsuche liefert in sekundenschnelle Ergebnisse. Jetzt neu! http://desktop.msn.de/ Jetzt gratis downloaden!
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi all, we have a customer who wants to use the Meetinghouse supplicant (now cisco) integrated with Novell client. The customer want to use 802.1x (EAP-TLS / EAP-TTLS) authentication based on username and password stored in eDirectory. Also he wants to use Freeradius. So we want to know: 1) is it possible ? it means ...can we use freeradius and eDir as back-end.? 2) Has someone experience in any deployment like this ? any comment or advice ? Thanks in advance
Am Donnerstag, 14. Dezember 2006 11:58 schrieb Mariano Morano:
Hi all, we have a customer who wants to use the Meetinghouse supplicant (now cisco) integrated with Novell client.
The customer want to use 802.1x (EAP-TLS / EAP-TTLS) authentication based on username and password stored in eDirectory. Also he wants to use Freeradius.
So we want to know:
1) is it possible ? it means ...can we use freeradius and eDir as back-end.?
2) Has someone experience in any deployment like this ? any comment or advice ?
Thanks in advance
Hi, should be possible. 1) Does the eDir installation provide a RADIUS protocol stack? If yes, just configure FR to do proxy. 2) If no: Configure FR do ask eDir via LDAP. OpenLDAP is easy and there are lots of examples on the net. You should be able to transfer it to eDir. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42
Mariano Morano wrote:
The customer want to use 802.1x (EAP-TLS / EAP-TTLS) authentication based on username and password stored in eDirectory. Also he wants to use Freeradius.
EAP-TTLS, with PAP in the SSL tunnel will work.
1) is it possible ? it means ...can we use freeradius and eDir as back-end.?
2) Has someone experience in any deployment like this ? any comment or advice ?
Configure it, it will work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
On Thu 14 Dec 2006 12:58, Mariano Morano wrote:
Hi all, we have a customer who wants to use the Meetinghouse supplicant (now cisco) integrated with Novell client.
The customer want to use 802.1x (EAP-TLS / EAP-TTLS) authentication based on username and password stored in eDirectory. Also he wants to use Freeradius.
So we want to know:
1) is it possible ? it means ...can we use freeradius and eDir as back-end.?
2) Has someone experience in any deployment like this ? any comment or advice ?
http://www.novell.com/coolsolutions/tip/15922.html http://www.novell.com/documentation/edir_radius/index.html?page=/documentati... -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc
Alan, I was thinking to have the reader on the client side and send the password and the biometric data to the freeradius on the server, which in turn checks and upon the outcome the user is authenticated or not. I do not know which attribute should i use for the biometric data. Regards Kenneth --- Alan DeKok <aland@deployingradius.com> wrote:
Kenneth Penza wrote:
I am trying to setup a biometric authentication
using
freeradius, first the user gives his/her password and then uses fingerprint information. On positive matches the user is authenticated.
Can it be implemented? Is there literature that I need to have a look at?
Almost anything can be implemented. The question is how does the fingerprint information get to the RADIUS server? And what does the RADIUS server do with it?
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
____________________________________________________________________________________ Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com
Kenneth Penza wrote:
I was thinking to have the reader on the client side and send the password and the biometric data to the freeradius on the server, which in turn checks and upon the outcome the user is authenticated or not. I do not know which attribute should i use for the biometric data.
There is no standard attribute for that. Invent one. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (7)
-
Alan DeKok -
Ian Walker -
Kenneth Penza -
Mariano Morano -
Michael Schwartzkopff -
Peter Nixon -
Peter Urban