Freeradius second auth factor

Steffen Klemer steffen.klemer at gwdg.de
Mon Dec 30 10:00:42 CET 2019 

Am Fr, 20.12.2019 um 18:05 schrieb Anton Kiryushkin <swood at fotofor.biz>:

> > > Yes, I can, but you didn't answer the question: does it possible
> > > to run exec and use generated code during the authorisation?  
> >
> >   I did answer the question.  Please pay attention.
> >
> >   You can run the "exec" module anywhere.  Just list it in the
> > "authorize" section.  That's done for ANY module.
> >  
> 
> Yes, again, but I can't trigger it in advance in order to send the OTP
> code. I hoped on a miracle. Merry Christmas!

I don't think that's possible. When you see a packet in FR the ASA
already sent the auth-request so you can't have the just created SMS
TAN in it -- so the first request hast to fail somehow, tell the ASA to
ask again, now hopefully with the correct TAN in the password. I
wouldn't like such a solution :). There should be some outband-way to
request a TAN.

Also your SMS-solution might by easily abused but just sending many
auth-requests to the VPN.


/Steffen

-- 
Steffen Klemer                     E-Mail: steffen.klemer at gwdg.de
                                   Tel:    +49 551 201 2170

------------------------------------------------------------------
GWDG - Gesellschaft für wissenschaftliche
Datenverarbeitung mbH Göttingen
Am Faßberg 11, 37077 Göttingen

Service-Hotline:
Tel:    +49 551 201-1523
E-Mail: support at gwdg.de

Kontakt:
Tel:    0551 201-1510
Fax:    0551 201-2150
E-Mail: gwdg at gwdg.de
WWW:    https://www.gwdg.de
------------------------------------------------------------------
Geschäftsführer:           Prof. Dr. Ramin Yahyapour
Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger
Sitz der Gesellschaft:     Göttingen
Registergericht: Göttingen, Handelsregister-Nr. B 598
------------------------------------------------------------------
Zertifiziert nach ISO 9001
------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5915 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20191230/60b564bb/attachment.bin>

More information about the Freeradius-Users mailing list