[RADIATOR] Combining AuthSQLTOTP with other authication sources
samikk at open.com.au
Tue Dec 16 04:26:53 CST 2014
Radiator 4.14 includes configuration option 'EAP_GTC_PAP_Convert' that
converts EAP-GTC to standard PAP authentication to allow combining
multiple authentication sources with EAP-GTC.
You can have a handler that process EAP-messages, does the conversion
and then use same chain as for PAP authentication.
Converted packet includes attribute ConvertedFromGTC=1 that you can use
if you want to use separate handler.
On 08/04/2014 10:13 AM, Thomas Neumann wrote:
> Hi Hugh,
> Am 04.08.14 01:03, schrieb Hugh Irvine:
>> There is an example of how to do this sort of thing in:
>> goodies/digipassStatic.txt and goodies/digipassStatic.cfg
> Thanks for the pointer. That looks very helpful.
> Of course SQLTOTP/SQLHOTP will still need to have the username along
> with the OTP secret in their respective SQL tables, which kind of
> defeats the purpose of having Active Directory as the only source of
> user management (as requested by my client), but I think I'm going to
> solve this by storing the hex representation of the OTP secret in an
> unused Active Directory LDAP attribute of the user account (such as
> "employeeNumber", that allows me to get away without an AD schema
> extension), then I'll implement a small script that uses ldapsearch to
> fetch all AD users below a given OU that have the employeeNumber field
> set and belong to some "OTP-Login" group in AD and the fetched username
> and matching OTP secret (from the employeeNumber attribute) will be
> stored in the SQLTOTP table if not already present. That way I wont need
> to create every user twice, once in AD and then again in the SQLTOTP
> table. Every once in a while a garbage collection script would run that
> removes users from the SQLTOTP table that are no longer present in AD. I
> think that should do the trick.
> Thanks again!
> radiator mailing list
> radiator at open.com.au
Sami Keski-Kasari <samikk at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
More information about the radiator