EXEC Access-challenge

Phil Mayers p.mayers at imperial.ac.uk
Thu Oct 11 10:56:24 CEST 2012

On 10/11/2012 09:23 AM, Thomas Raabo - Zitcom A/S wrote:
> I´am trying to create a php OTP script with challenge reponse.
> echo "Reply-Message += \"Enter SMS\",\n";
> echo "State += \"$random\",\n";
> echo "Response-Packet-Type = \"Access-Challenge\",\n";

I think that needs to be a control item, not a reply item, and you can't 
set reply & control items from an "exec" script at the same time. 
Therefore, I'm not sure you can do that with an exec script alone.


(ignore the non-technical bits, the poster was being... combative)

...and maybe:


I think something like the following might be what you need:

authorize {
   if (updated) {
     update control {
       Response-Packet-Type := Access-Challenge

...and make your "exec" script return "updated" (9)

The server isn't really rigged for scripts/unlang sending 
Access-Challenge, so this is not a well-explored area. If someone who is 
using this could write a wiki article detailing the considerations, that 
would be great. It seems to be a common requirement. I'm guessing the 
Google "2-step" auth and imitators have rekindled interest in OTP?

More information about the Freeradius-Users mailing list