[RADIATOR] two factor authentication

Mike McCauley mikem at open.com.au
Tue Jan 17 14:12:53 CST 2012 

Hi Heikki,

I wonder if he should also look at  AuthBy OTP?
Cheers.

On Tuesday, January 17, 2012 09:39:27 PM Heikki Vatiainen wrote:
> On 01/17/2012 08:13 PM, Alexander Hartmaier wrote:
> 
> Hello Alexander,
> 
> > I'm trying to implement a two factor auth where the user has to enter
> > his Active Directory credentials.
> > Radiator checks those against the AD, if successful creates an OTP and
> > sends that to the mobile phone number fetched from the AD.
> 
> Add State attribute to the challenge at this point.
> 
> > A challenge is returned to the NAS.
> 
> See this for how NAS should react to challenge.
> http://tools.ietf.org/html/rfc2865#section-5.24
> 
> > My problem is that I can't distinguish the initial request and the
> > challenge response which should skip the AD auth because this time the
> > password field holds the OTP response.
> 
> State should be echoed back in the challenge response unless the NAS is
> badly broken.
> 
> > By looking at the radius packets with tcpdump I couldn't find a
> > difference in the radius attributes sent that let me write two different
> > handlers.
> > 
> > Ideas?
> 
> Try something like this. Note that I have used a fixed value for
> challenge, but you could make it generic to protect against replay
> attacks or some other information that might be useful for selecting the
> correct handler for verifying the challenge.
> 
> <Handler attribute=value,...,State=whatever>
>    # Check challenge here
> </Handler>
> 
> <Handler attribute=value,...>
>    # Generate OTP here and send challenge
>    <AuthBy ...>
>       # AD auth happens here
>       AddToReply State=whatever
>    </AuthBy>
> </Handler>
> 
> 
> 
> Please let us know how it goes.
> Heikki
-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

More information about the radiator mailing list