freeradius OTP with OATH

Arran Cudbard-Bell a.cudbardb at
Wed Sep 12 13:18:06 CEST 2012

On 9 Sep 2012, at 05:27, Thomas Glanzmann <thomas at> wrote:

> Hello Arran,
>> What is the server missing as of 2.2.0 that requires the use of rlm_perl?
> I'm not aware of the FreeRadius internals but you can simply look at the
> FreeRadius Module rlm_smsotp. This is what happens.
>        - User authenticates with PAP
>        - The server answer will be of access challenge type and
>          includes two additional fields:
>                - State: Random number (FreeRadius has to keep it an
>                  associate that with the generated otp)
>                - Prompt
>          At the same time a otp random number is also saved and
>          associated with the state and the user and sent to the user
>          for example using a SMS but it could of course use any other
>          otp method for example with preshared key.
>        - The client answeres and provide the state and otp in the
>          'passowrd' field. The server than has to verify:
>                - Is the state corresponding to user name and otp?
>                - Is the request still valid (timeout)?
> That's basically it.


>> On the surface it seems all you're missing is random string generation?
> If it can't do that, than yes for the state and the otp value.
>> With 3.0 you can define policies which have 'methods' that map to the
>> different sections of the server, so you could write the whole thing
>> as a virtual module.
> If you walk me through it, I would like to try that.

Just name your policies using <virtual_module>.<section> {}, then use instances of the always module to set the return code :)

For storing the state take a look at the new rlm_cache module, it'd be perfect for this (so long as you don't need state to be shared between servers, or persist after restarts). I'll look at adding a special xlat method to generate random strings.


More information about the Freeradius-Users mailing list