madmatrix <hailum...@gmail.com> wrote: > > Thanks a lot Alexander. I'm familiar with python. So rlm_python might > a good choice for me. The main thing I want to do is to give remote > vpn client a two-factor authentication. > Depending on how your VPN works and what the clients can support, you could use the OTP to create the tunnel, and then EAP on the inside to authenticate (and VLAN assign) the user. It would complement any wireless/wired 802.1X solution you have on site perfectly too.
Although a good plan, as the OTP being the first hop means your user credentials cannot be brute forced, your might find it complicated to pull off; at a first glance I am not sure how something like IPsec could be OTPised...maybe you will get more luck with OpenVPN. > Since freeradius, pam and all opensource otp solution are available, I > think free two-factor authentication is doable instead the expensive > RSA solution. > Always bear in mind, as long as the man hours you put in are less or roughly equal to the RSA solution (over a three year period), then that's a worthwhile approach. Also gives you something to present as a talk to other organisations. :) > So the first authentication is against our AD. If successful, the > system should generate one time password and send it to user through > SMS or the other ways. The user then put otp into the 2nd challenge > prompt. Freeradius authenticate this otp against otp server. > > I already tried using pam to authenticate against AD or OTP. I was > trying to use PAM stack to make this happen. But it's hard to put some > scripts to send password to user between the two PAM modules. So I > turned to FreeRadius to see if it can have some ways to do this. > For your initial version, I recommend when the user is prompted for a password, you get them to type "<otp> <password>" (RSA style). Check the OTP *first* and then validate the password. You RADIUS configuration will look like: ---- authorize { .... your_python_otp_script ldap .... } ---- 'your_python_otp_script' will *rewrite* User-Password so that when it gets to the ldap module it's as if the user just sent their password without the OTP. Of course if the OTP is incorrect, your_python_otp_script can return instantly reject giving you your two factor authentication. > So if I use rlm_python, I can utilize some existing executable files > (like ldapsearch, ldapcompare, otp_auth) to directly authenticate > against LDAP and OTP. To send OTP to user is much easier to do in > python too. Am I correct? > rlm_python will let you change how your OTP system functions quickly which is helpful as: * newer flexibility technologies come along you want to use * users fix the initial approach too complicated. As the brains is really all in a python script, you should find it trivial to change to meet their needs One word of warning, do *not* use system()/exec() or whatever python uses. Use a native LDAP module. Same with the OTP/SMS approach if possible. Calling OS commands like that, especially when there are native libraries, is generally a Bad Idea(tm) and the coding gods *will* smite you for your crimes. Cheers -- Alexander Clouter .sigmonster says: Time as he grows old teaches all things. -- Aeschylus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html