pre-check OTP token

Cor Bosman cor at
Mon Jul 4 11:57:54 CEST 2011

Hi all, im setting up an OTP authentication service for our customer base. They should be able to authenticate with both their login/pass or an OTP.   Ive got this working just fine by using PAM/radius where each pam services checks 2 radius servers. First the one doing the login/pass (this is a bit of a black box I cant modify too easily), and if that fails it checks the OATH/TOTP/HOTP radius daemon. The second radius server is a Freeradius installation, where the OTP checks are (currently) done using exec. The idea is that customers could be in an insecure environment like an internet cafe and use their OTP token to login through their regular websites or even with their IMAP client. 

Since we have a pretty large userbase of a few hundred thousand customers, and are regularly bombarded with brute force attacks in some form, i expect a lot of hits on the OTP radius server. 

Would their be some way, in either the PAM stage, or in the FreeRadius stage before Exec to pre-validate if ive got a token-reponse? They're always 10 digit numbers.  



Freeradius: 2.1.10

More information about the Freeradius-Users mailing list