Hi Heikki, I wonder if he should also look at AuthBy OTP? Cheers.
On Tuesday, January 17, 2012 09:39:27 PM Heikki Vatiainen wrote: > On 01/17/2012 08:13 PM, Alexander Hartmaier wrote: > > Hello Alexander, > > > I'm trying to implement a two factor auth where the user has to enter > > his Active Directory credentials. > > Radiator checks those against the AD, if successful creates an OTP and > > sends that to the mobile phone number fetched from the AD. > > Add State attribute to the challenge at this point. > > > A challenge is returned to the NAS. > > See this for how NAS should react to challenge. > http://tools.ietf.org/html/rfc2865#section-5.24 > > > My problem is that I can't distinguish the initial request and the > > challenge response which should skip the AD auth because this time the > > password field holds the OTP response. > > State should be echoed back in the challenge response unless the NAS is > badly broken. > > > By looking at the radius packets with tcpdump I couldn't find a > > difference in the radius attributes sent that let me write two different > > handlers. > > > > Ideas? > > Try something like this. Note that I have used a fixed value for > challenge, but you could make it generic to protect against replay > attacks or some other information that might be useful for selecting the > correct handler for verifying the challenge. > > <Handler attribute=value,...,State=whatever> > # Check challenge here > </Handler> > > <Handler attribute=value,...> > # Generate OTP here and send challenge > <AuthBy ...> > # AD auth happens here > AddToReply State=whatever > </AuthBy> > </Handler> > > > > Please let us know how it goes. > Heikki -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator