Regarding providing Custom TOTP MFA in freeradius
Dineshkumar pachamuthu
dineshkumar.pachamuthu at gmail.com
Tue Apr 30 11:40:36 UTC 2024
Hi Alan,
Thanks for the replay, Sorry for the late reply. I understand Sending
Access-Challenge is not possible with TTLS or with any EAP type since
Supplicant will not be compatible to process that.
I have one more question, is there a way to tell the client/supplicant to
use/Access requests with specific EAP type. If the RADIUS client sends
PEAP (MSCHAPV2) in the inner-tunnel I want to send supplicant (NAK request)
and ask for only EAP-TTLS/PAP, so the client will resend the request with
EAP-TTLS/PAP. is this Feasible by change details at inner-tunnel or server
config files?
Thanks
Dineshkumar
On Tue, Apr 2, 2024 at 7:09 PM Alan DeKok <aland at deployingradius.com> wrote:
> On Apr 2, 2024, at 2:06 AM, Dineshkumar pachamuthu <
> dineshkumar.pachamuthu at gmail.com> wrote:
> > I have recently been working and developing with the freeradius EAP
> protocol. I need to send access-challenge request with state and
> Reply-Message "Enter TOTP" inside of inner-tunnel of EAP-TTLS/PAP Protocol
> which will prompt the user to enter TOTP and send the access request again
> and will process and authenticate the user for MFA.
> >
> > I have gone through this solution inside the authorize section of
> inner-tunnel but the EAP module sends access-reject when doing this change,
> Please guide me in the proper direction on how to achieve this in our
> environment.
>
> There is no mechanism in the EAP-TTLS protocol where you can send an
> Access-Challenge back to the end user device. Even if you sent a
> Reply-Message to it inside of the TTLS tunnel, the end user device would
> ignore it.
>
> No EAP-TTLS supplicant supports prompting users with a challenge.
>
> Alan DeKok.
>
>
More information about the Freeradius-Devel
mailing list