MSCHAPv2 followed by a smsotp authentication
Alan DeKok
aland at deployingradius.com
Thu Mar 29 18:15:03 CEST 2012
Thomas Glanzmann wrote:
> I have a propiertary radius client which I want to authenticate against
> freeradius the following way:
>
> - User types is username: directory\Administrator password:secret
> - Freeradius authenticates against active directory.
Which authentication method? This matters a lot.
> This already works
>
> - From the documentation of the propiertary radius client:
>
> After authenticating to RADIUS, you may get another prompt if
> the RADIUS server responded with a supported Access Challenge.
> Full generic RADIUS challenge/response is not supported, but a
> limited access challenge for a string token code is supported.
What does that mean?
> - So now I want freeradius to send 'Access Challenge' and send a
> sms to the user (for that purpose I wrote a perl daemon which
> listens on a unix socket in order to talk to smsotp freeradius
> module)[1]. However nothing comes in.
What does that mean? "nothing comes in" ???
> authenticate {
> mschap
> Auth-Type smsotp {
> mschap
> smsotp
> }
I really doubt that will work.
> - Is it possible to do a mschapv2 authentication followed by
> Access challenge in order to send out a sms with a one time
> password by configuring freeradius or do I need to code?
No. It's impossible. MS-CHAP is an authentication method with
pre-defined meaning, user interaction, and data flow. Adding something
to it is impossible.
> Where
> do I find pointers? I read the source code of the smsotp and
> the rlm_example module, I get the basic idea that first the
> otp is generated and than it is checked, however I don't get
> how to configure freeradius to choose the codepath. I also
> don't get if it is possible to stack authentication methods in
> freeradius.
Sometimes, yes. It depends on the authentication method.
Alan DeKok.
More information about the Freeradius-Users
mailing list