mideye authentication

[Alan DeKok]

Norbert Wegener wrote:
> The box I am talking about is a Juniper vpn gateway. There they have
> Custom Radius Authentication Rules and in the configuration menu there is:
> If received packet Type :Access Challenge
> Take action: Show Next Token page

  That's pretty common.

> Now it seems to me, that after providing the correct login/(static)
> password combination, not an Access-Accept must be sent, but instead an
> Access-Challenge.

  Yes.

> Maybe, this can be done using the otpd, but up to now I am searching on
> how to realise this.
> Anyone any idea?

  The rlm_otp module is intended to support specific token cards.  If
you need another kind of token-based authentication, the best bet is to
roll your own.

  See rlm_example for a simple C challenge-response authentication
module.  You may also need a consistent State attribute.  That code is
in rlm_eap, but should probably be pulled into src/main, because other
modules may need it, too.

  Alan DeKok.