Cache One Time Password OTP
Gardner, Mark
mark.gardner at kc.frb.org
Tue Mar 17 00:03:55 CET 2015
I think I¹ve found a solution. I¹m posting it here for mostly a sanity
check and to share if anyone else is having issues combining a YUBIKEY
Hashed One Time Password (HOTP) for a token caching service. This is very
similar to the offering that Steel Belted Radius provides.
FreeRadius Version: freeradius-2.2.6-1
Must be compiled with ‹with-edir and have the rlm_cache caching module
available.
eDirectory server configured with HOTP NMAS Method (
https://www.netiq.com/communities/cool-solutions/using-yubico-yubikey-with-
edirectory-for-two-factor-authentication/ )
The main driver behind this solution was using two factor authentication
with Thinlinc. Their solution requires that a OTP be used twice. Their
documentation recommends steel belted radius that has this feature build
in for them. I¹d rather use a freeRadius solution.
1) Get PAP working with ldap. (not comparing extracted passwords)
2) copy the modules/cache to modlues/hotpcache
cache hotpcache{
key = "%{User-Name}/%{urlquote:%{User-Password}}²
ttl = 5
epoch = 0
add-stats = no
update {
reply:Reply-Message += "I'm the cached reply from %t"
control:Class := 0x010203
}
}
3) Here is the default site that uses the new cache module
authorize {
preprocess
eap {
ok = return
}
ldap
hotpcache
if (ok) {
update control {
Auth-Type := Accept
Cache-Status-Only !* ANY
Cache-TTL = 0
}
hotpcache # remove entry
ok
}
else {
update control {
Cache-Status-Only !* ANY
}
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
ldap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
exec
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
update control {
Cache-TTL = 0
}
hotpcache
update control {
Cache-TTL !* ANY
}
}
hotpcache
}
pre-proxy {
}
post-proxy {
eap
}
More information about the Freeradius-Users
mailing list