not logged in | [Login]
Always use radiusd -X when debugging!
This guide shows the configuration necessary to make the multiOTP system work with recent versions of FreeRADIUS, it doesn't detail actually setting the tokens up, but there's plenty of documentation on that already.
multiOTP tokens will work with any type of PAP/CHAP/MS-CHAP/MS-CHAPv2 based authentication, including EAP-TTLS-PAP. With the correct OS/Supplicant software tokens can be used for 802.1X authentication and well as for standard PAP/CHAP/MS-CHAP/MS-CHAPv2 authentication (just make the changes described in the inner server). This guide closely follows the NTLM Auth with PAP HOWTO but with a little extra validation.
NT_KEY generation is also supported using the -request-nt-key option (like for ntlm_auth --request-nt-key option), which is needed in order to enable VPN (PPTP + MPPE) with MS-CHAP/MS-CHAPv2.
chmod +x /path/to/multiotp.php
Create 'raddb/modules/multiotp' and add the following, this will create a new instance of the exec module:
# Exec module instance for multiOTP
# Replace '/path/to' with the actual path to the multiotp.php file
exec multiotp {
wait = yes
input_pairs = request
output_pairs = reply
program = "/path/to/multiotp.php %{User-Name} %{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}"
shell_escape = yes
}
Copy module/mschap to module/multiotpmschap. Change the following line in multiotpmschap:
"mschap {"
to
"mschap multiotpmschap {"
Also change ntlm_auth variable:
ntlm_auth = "/path/to/multiotp.php %{User-Name} %{User-Password}
-request-nt-key -src=%{Packet-Src-IP-Address}
-chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password}
-ms-chap-challenge=%{MS-CHAP-Challenge}
-ms-chap-response=%{MS-CHAP-Response}
-ms-chap2-response=%{MS-CHAP2-Response}"
Edit 'raddb/policy.conf' and add the following to override the authorize method of the exec module:
policy {
# Change to a specific prefix if you want to deal with normal PAP authentication as well as OTP
# e.g. "multiotp_prefix = 'otp:'"
multiotp_prefix = ''
multiotp.authorize {
# This test force multiOTP for any MS-CHAP(v2) attempt
if (control:Auth-Type == MS-CHAP) {
update control {
Auth-Type := multiotpmschap
}
}
# This test force multiOTP for any MS-CHAP(v2) attempt
elsif (control:Auth-Type == mschap) {
update control {
Auth-Type := multiotpmschap
}
}
# This test force multiOTP for any CHAP attempt
elsif (control:Auth-Type == chap) {
update control {
Auth-Type := multiotp
}
}
# This test is for decimal OTP code only, otherwise you will have to change it
# elsif (!control:Auth-Type && User-Password =~ /^${policy.multiotp_prefix}([0-9]{10})$/) {
#
# Use this simple test for non decimal only OTP code: elsif (!control:Auth-Type) {
#
# This test force multiOTP for any other attempt
elsif (!control:Auth-Type) {
update control {
Auth-Type := multiotp
}
}
}
}
Edit your virtual server file, the default for the outer server is 'raddb/sites-available/default'
Add a call to multiotp before the pap module in authorize:
authorize {
...
# Handle multiotp authentication
multiotp
# Handle other PAP authentication
pap
...
}
Create the multiotp sub-section in authenticate:
authenticate {
Auth-Type multiotp {
multiotp
}
Auth-Type multiotpmschap {
multiotpmschap
}
}
Start the server up in debug mode radiusd -X and test authentication
Last edited by multiOTP (multiOTP), 2017-11-04 09:20:27
Sponsored by Network RADIUS 