MSCHAPv2 followed by a smsotp authentication
Thomas Glanzmann
thomas at glanzmann.de
Thu Mar 29 17:53:44 CEST 2012
Hello,
I have a propiertary radius client which I want to authenticate against
freeradius the following way:
- User types is username: directory\Administrator password:secret
- Freeradius authenticates against active directory.
This already works
- From the documentation of the propiertary radius client:
After authenticating to RADIUS, you may get another prompt if
the RADIUS server responded with a supported Access Challenge.
Full generic RADIUS challenge/response is not supported, but a
limited access challenge for a string token code is supported.
- So now I want freeradius to send 'Access Challenge' and send a
sms to the user (for that purpose I wrote a perl daemon which
listens on a unix socket in order to talk to smsotp freeradius
module)[1]. However nothing comes in.
I configured freeradius the following way:
sites-enabled/default:
authorize {
smsotp
mschap
}
authenticate {
mschap
Auth-Type smsotp {
mschap
smsotp
}
Auth-Type smsotp-reply {
smsotp
}
}
users:
DEFAULT Auth-Type = smsotp
radius -X output here: http://thomas.glanzmann.de/tmp/radius-x.txt
[1] smsotpd: http://thomas.glanzmann.de/tmp/smsotpd.pl
And now my questions:
- Is it possible to do a mschapv2 authentication followed by
Access challenge in order to send out a sms with a one time
password by configuring freeradius or do I need to code? Where
do I find pointers? I read the source code of the smsotp and
the rlm_example module, I get the basic idea that first the
otp is generated and than it is checked, however I don't get
how to configure freeradius to choose the codepath. I also
don't get if it is possible to stack authentication methods in
freeradius.
Cheers,
Thomas
More information about the Freeradius-Users
mailing list