Using freeRadius with OTP and gateway

Thu Mar 8 03:07:22 CET 2012

Hi Mercier

What it sounds like you are trying to do, needs more than just the 
radius server to do it. One of the features I'm writing for the Grase 
Hotspot (which uses Coova Chilli and Freeradius), is the ability for the 
user to create an account based on their mobile number.

It goes a bit like this.
User is presented with a form that allows them to enter a "username" 
which has to be their mobile number.
The form is submitted to a php script, which then creates a user in the 
radius tables (SQL) with the username as their mobile number, and 
generates them a random password. The same php script then sends that 
random password via a sms gateway to the users mobile phone (confirming 
that the number is correct and the user has possession of it).
The user is then presented with a normal login form, which they can use 
the mobile number, and the password they received as a sms, to login 
which is handled via normal Coova Chilli and Radius.

What you could do, is again, using a php script, generate the OTP and 
create the user in a special temporary table with the OTP and a password 
(maybe the user sets the password as well). Then, the user sends the OTP 
to the special number, and waits. When the SMS arrives at the special 
number, it would need to trigger a script somehow (not sure how you 
receive your SMS as all the gateways I use are for sending only), which 
would then confirm the OTP from the temporary table, if it is valid then 
we create the user with the password specified in the table, and then 
the user can login.

I'm assuming though, what you want to do, sounds like 2 different 
things. Firstly you want the Radius server to create a user when there 
is no user known. For this, you are going to need a script that does it. 
I prefer an external script, but you could use rlm_perl or similar to do it.

The seconds half of what you are doing, sounds like using OTP's for the 
user. There are a few ways to do this, but normally the user ether has 
an application (i.e. smartphone, or security token dongle thing) that is 
pre-authorised with codes to assist with generating the time based 
OTP's. Or, a list of use once passwords that the server also has, to be 
used in order. Or, as most banks around here do, sending a sms to the 
authorised phone number of the user, so the user uses that instead of 
their normal password.

I hope that is clear. You probably need to do 2 different things to get 
the solution you want.

Tim

On 07/03/12 22:56, Mercier Valentin wrote:
> Hi everyone,
>
> I'm using Freeradius 2.1.12 on a server Debian. I have an another 
> server Debian with Coovachilli (captive portal) and an Access Point 
> based on Ruckus OS.
> When my users connected on the AP, a web page is coming with a 
> formular to connect. Then the user enter is information (username and 
> password) and Coovachilli made the authentication on the radius and 
> this is working fine.
>
> Now I want to make something different, when the user connected on the 
> AP, I want that he received a little formular, then he need to enter a 
> username (not know on the radius) and i want the radius to create a 
> One Time Password and send it to the user (on an another webpage). And 
> the user send this OTP via SMS to a smsm gateway to finish the 
> authentication, is that possible, and if yes, could someone explain to 
> me how I can make it ?
>
> For the gateway sms I am using SMSLib (java library) on the 
> *same* server as freeradius.
>
> Best regards and sorry for my bad english (from switzerland).
> -- 
> Mercier Valentin
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120308/55519f4e/attachment.html>