[RADIATOR] two factor authentication
Heikki Vatiainen
hvn at open.com.au
Tue Jan 17 13:39:27 CST 2012
On 01/17/2012 08:13 PM, Alexander Hartmaier wrote:
Hello Alexander,
> I'm trying to implement a two factor auth where the user has to enter
> his Active Directory credentials.
> Radiator checks those against the AD, if successful creates an OTP and
> sends that to the mobile phone number fetched from the AD.
Add State attribute to the challenge at this point.
> A challenge is returned to the NAS.
See this for how NAS should react to challenge.
http://tools.ietf.org/html/rfc2865#section-5.24
> My problem is that I can't distinguish the initial request and the
> challenge response which should skip the AD auth because this time the
> password field holds the OTP response.
State should be echoed back in the challenge response unless the NAS is
badly broken.
> By looking at the radius packets with tcpdump I couldn't find a
> difference in the radius attributes sent that let me write two different
> handlers.
>
> Ideas?
Try something like this. Note that I have used a fixed value for
challenge, but you could make it generic to protect against replay
attacks or some other information that might be useful for selecting the
correct handler for verifying the challenge.
<Handler attribute=value,...,State=whatever>
# Check challenge here
</Handler>
<Handler attribute=value,...>
# Generate OTP here and send challenge
<AuthBy ...>
# AD auth happens here
AddToReply State=whatever
</AuthBy>
</Handler>
Please let us know how it goes.
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list