Configuring multiOTP
source link: https://wiki.freeradius.org/guide/multiOTP-HOWTO
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Introduction
This guide shows the configuration necessary to make the multiOTP system work with recent versions of FreeRADIUS, it doesn't detail actually setting the tokens up, but there's plenty of documentation on that already.
multiOTP tokens will work with any type of PAP/CHAP/MS-CHAP/MS-CHAPv2 based authentication, including EAP-TTLS-PAP. With the correct OS/Supplicant software tokens can be used for 802.1X authentication and well as for standard PAP/CHAP/MS-CHAP/MS-CHAPv2 authentication (just make the changes described in the inner server). This guide closely follows the NTLM Auth with PAP HOWTO but with a little extra validation.
NT_KEY generation is also supported using the -request-nt-key option (like for ntlm_auth --request-nt-key option), which is needed in order to enable VPN (PPTP + MPPE) with MS-CHAP/MS-CHAPv2.
Before starting or asking for help
- Make sure the otp script is executable
chmod +x /path/to/multiotp.php - Verify multiotp is setup correctly by calling the script from the commandline with the appropriate arguments
FreeRADIUS 3.x.x
-
Create 'raddb/modules/multiotp' and add the following, this will create a new instance of the exec module:
# Exec module instance for multiOTP # Replace '/path/to' with the actual path to the multiotp.php file exec multiotp { wait = yes input_pairs = request output_pairs = reply program = "/path/to/multiotp.php %{User-Name} %{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}" shell_escape = yes } -
Copy module/mschap to module/multiotpmschap. Change the following line in multiotpmschap:
"mschap {" to "mschap multiotpmschap {"
Also change ntlm_auth variable:
ntlm_auth = "/path/to/multiotp.php %{User-Name} %{User-Password}
-request-nt-key -src=%{Packet-Src-IP-Address}
-chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password}
-ms-chap-challenge=%{MS-CHAP-Challenge}
-ms-chap-response=%{MS-CHAP-Response}
-ms-chap2-response=%{MS-CHAP2-Response}"
-
Edit 'raddb/policy.conf' and add the following to override the authorize method of the exec module:
policy { # Change to a specific prefix if you want to deal with normal PAP authentication as well as OTP # e.g. "multiotp_prefix = 'otp:'" multiotp_prefix = '' multiotp.authorize { # This test force multiOTP for any MS-CHAP(v2) attempt if (control:Auth-Type == MS-CHAP) { update control { Auth-Type := multiotpmschap } } # This test force multiOTP for any MS-CHAP(v2) attempt elsif (control:Auth-Type == mschap) { update control { Auth-Type := multiotpmschap } } # This test force multiOTP for any CHAP attempt elsif (control:Auth-Type == chap) { update control { Auth-Type := multiotp } } # This test is for decimal OTP code only, otherwise you will have to change it # elsif (!control:Auth-Type && User-Password =~ /^${policy.multiotp_prefix}([0-9]{10})$/) { # # Use this simple test for non decimal only OTP code: elsif (!control:Auth-Type) { # # This test force multiOTP for any other attempt elsif (!control:Auth-Type) { update control { Auth-Type := multiotp } } } } -
Edit your virtual server file, the default for the outer server is 'raddb/sites-available/default'
-
Add a call to multiotp before the pap module in authorize:
authorize { ... # Handle multiotp authentication multiotp # Handle other PAP authentication pap ... } -
Create the multiotp sub-section in authenticate:
authenticate { Auth-Type multiotp { multiotp } Auth-Type multiotpmschap { multiotpmschap } } -
Start the server up in debug mode
radiusd -Xand test authentication
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK