chain two authentication modules together

Fri Jun 17 22:58:38 CEST 2011

Thanks a lot Alexander. I'm familiar with python. So rlm_python might a good
choice for me. The main thing I want to do is to give remote vpn client a
two-factor authentication. Since freeradius, pam and all opensource otp
solution are available, I think free two-factor authentication is doable
instead the expensive RSA solution. So the first authentication is against
our AD. If successful, the system should generate one time password and send
it to user through SMS or the other ways. The user then put otp into the 2nd
challenge prompt. Freeradius authenticate this otp against otp server.

I already tried using pam to authenticate against AD or OTP. I was trying to
use PAM stack to make this happen. But it's hard to put some scripts to send
password to user between the two PAM modules. So I turned to FreeRadius to
see if it can have some ways to do this.

So if I use rlm_python, I can utilize some existing executable files (like
ldapsearch, ldapcompare, otp_auth) to directly authenticate against LDAP and
OTP. To send OTP to user is much easier to do in python too. Am I correct?

Thanks for your help.

Lou

On Fri, Jun 17, 2011 at 3:10 PM, Alexander Clouter [via FreeRadius] <
ml-node+4499878-126979644-220770 at n5.nabble.com> wrote:

> madmatrix <[hidden email]<http://user/SendEmail.jtp?type=node&node=4499878&i=0>>
> wrote:
> >
> > What I'm wanting to do is integrate LDAP and OTP. The OTP I want to
> > use doesn't have interface to radius. So I'm planning to get that OTP
> > source code into a new FR module. For LDAP part, I just want to
> > include the existing module to the new one. Is this doable? I guess I
> > may need implant the LDAP module code into the new module too.
> >
> I *strongly* recommend you use rlm_perl/rlm_python.  I found it very
> straight forward to quickly implement rfc2289 with eap-gtc.
>
> > The whole authentication process is: 1. LDAP authentication. 2. If
> > successful, do something and request 2nd OTP authencation. If not, reject
>
> > the authentication.
> >
> I think you might find yourself having to either:
>  * combined password of form "<ldap password> <otp challenge response>"
>  * two separate RADIUS authentications, say use PAM to first do a
>         regular RADIUS password check and also require a second check to
>         another RADIUS server (a FreeRADIUS virtual server for example)
>         that then does the OTP
>
> As you have not described what the problem is (EAP for 802.1X, web
> portal, PAM backed authentication, etc?) it is hard to give you advice.
>
> > From what I read here, the new module must be the way to do this. But
> > is there any easy way to integrate existing module like LDAP into the
> > new module?
> >
> If you use rlm_perl/rlm_python, you will find the job much easier, fast
> on the prototyping front and maintenance will be a lot less trouble (ie,
> no need to recompile things as an example).
>
> Cheers
>
> --
> Alexander Clouter
> .sigmonster says: Don't feed the bats tonight.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> ------------------------------
>  If you reply to this email, your message will be added to the discussion
> below:
>
> http://freeradius.1045715.n5.nabble.com/chain-two-authentication-modules-together-tp4499333p4499878.html
>  To unsubscribe from chain two authentication modules together, click here<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4499333&code=aGFpbHVtZW5nQGdtYWlsLmNvbXw0NDk5MzMzfC03NjIyMDI5NDM=>.
>
>

--
View this message in context: http://freeradius.1045715.n5.nabble.com/chain-two-authentication-modules-together-tp4499333p4499970.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110617/2f967975/attachment.html>