MSCHAPv2 followed by a smsotp authentication

Thomas Glanzmann thomas at glanzmann.de
Thu Mar 29 18:47:43 CEST 2012


Hello Alan,

> Which authentication method? This matters a lot.

I configured it to use MSCHAPv2 (but they also support PAP, CHAP and
MSCHAPv1)

> >           After authenticating to RADIUS, you may get another prompt if
> >           the RADIUS server responded with a supported Access Challenge.
> >           Full generic RADIUS challenge/response is not supported, but a
> >           limited access challenge for a string token code is supported.

>   What does that mean?

I have absolutly no clue, but I'm getting closer. I now managed to
configure freeradius in order that I get the second prompt (see below).

> >         - So now I want freeradius to send 'Access Challenge' and send a
> >           sms to the user (for that purpose I wrote a perl daemon which
> >           listens on a unix socket in order to talk to smsotp freeradius
> >           module)[1]. However nothing comes in.

>   What does that mean?  "nothing comes in" ???

I meant that my perl deamon is never called by freeradius, but now I
figured out to receive at least the first stage of the smsotp (I had to send
out a greeting on the socket otherwise smsotpd radius plugin would wait for
ever) configuration.

> > authenticate {
> >         mschap
> >         Auth-Type smsotp {
> >                 mschap
> >                 smsotp
> >         }

>   I really doubt that will work.

I modified it to look like that:

authorize {
        mschap
}

authenticate {
        Auth-Type MS-CHAP {
                mschap
                smsotp
        }

        Auth-Type smsotp-reply {
                smsotp
        }
}

I now get the first prompt, followed by the second prompt which is
asking for the pin received via sms. However when I type in a code, I
don't see anything in freeradius or my smsotpd.

Output of smsotpd now shows:

(minisqueeze) [~/work/smsotpd] ./smsotpd.pl
<generate otp for directory\Administrator>
generate otp for directory\Administrator
<quit>
Received QUIT

Which is the first stage of the challenge response.

http://thomas.glanzmann.de/tmp/radius-x.txt
http://thomas.glanzmann.de/tmp/smsotpd.pl
http://thomas.glanzmann.de/tmp/radius.pcap

I sniffed and I only see two packets (one Access Request and one Access
Challenge). However when I type the sms passocde and press return,
absolutly nothing happens (no packets are send over the network and I
get a new prompt.

Cheers,
        Thomas


More information about the Freeradius-Users mailing list