EXEC Access-challenge
Phil Mayers
p.mayers at imperial.ac.uk
Thu Oct 11 10:56:24 CEST 2012
On 10/11/2012 09:23 AM, Thomas Raabo - Zitcom A/S wrote:
> I´am trying to create a php OTP script with challenge reponse.
>
> echo "Reply-Message += \"Enter SMS\",\n";
>
> echo "State += \"$random\",\n";
>
> echo "Response-Packet-Type = \"Access-Challenge\",\n";
I think that needs to be a control item, not a reply item, and you can't
set reply & control items from an "exec" script at the same time.
Therefore, I'm not sure you can do that with an exec script alone.
See:
http://lists.freeradius.org/pipermail/freeradius-users/2012-September/062606.html
(ignore the non-technical bits, the poster was being... combative)
...and maybe:
http://lists.freeradius.org/pipermail/freeradius-users/2012-July/061953.html
I think something like the following might be what you need:
authorize {
...
myexec
if (updated) {
update control {
Response-Packet-Type := Access-Challenge
}
handled
}
...
}
...and make your "exec" script return "updated" (9)
The server isn't really rigged for scripts/unlang sending
Access-Challenge, so this is not a well-explored area. If someone who is
using this could write a wiki article detailing the considerations, that
would be great. It seems to be a common requirement. I'm guessing the
Google "2-step" auth and imitators have rekindled interest in OTP?
More information about the Freeradius-Users
mailing list