freeradius OTP with OATH
Thomas Glanzmann
thomas at glanzmann.de
Sun Sep 9 06:27:58 CEST 2012
Hello Arran,
> What is the server missing as of 2.2.0 that requires the use of rlm_perl?
I'm not aware of the FreeRadius internals but you can simply look at the
FreeRadius Module rlm_smsotp. This is what happens.
- User authenticates with PAP
- The server answer will be of access challenge type and
includes two additional fields:
- State: Random number (FreeRadius has to keep it an
associate that with the generated otp)
- Prompt
At the same time a otp random number is also saved and
associated with the state and the user and sent to the user
for example using a SMS but it could of course use any other
otp method for example with preshared key.
- The client answeres and provide the state and otp in the
'passowrd' field. The server than has to verify:
- Is the state corresponding to user name and otp?
- Is the request still valid (timeout)?
That's basically it.
> On the surface it seems all you're missing is random string generation?
If it can't do that, than yes for the state and the otp value.
> With 3.0 you can define policies which have 'methods' that map to the
> different sections of the server, so you could write the whole thing
> as a virtual module.
If you walk me through it, I would like to try that.
Cheers,
Thomas
More information about the Freeradius-Users
mailing list