Alan DeKok a écrit :
Fabiano wrote:
A database? You should know what the *correct* password is, otherwise
you don't be able to authenticate the user.
You mean, for example making the OTP script (doing exactly the contrary
of what it actually does) write the password every 10 seconds to a
database for every user and then let freeradius check the db ?
Is this the only way ?
It would help if you described what you are trying to do, and why.
Alan,
I am using a firewall (m0n0.ch, based on FreeBSD) which has a PPTP
server accepting only MSCHAPv2 auth.
This PPTP server uses an internal database with flatfiles for
authenticating VPN users but also offers auth through an external radius
server.
I thought that I could use the motp.sf.net project to make mobile
clients (using cell phones qnd the j2me applet) authenticate with this
setup.
The MOTP project offers a shellscript named otverify.sh which waits some
arguments to verify the client (Username, OTP, Init-Secret, PIN, Time
Offset).
Username and OTP are given by the VPN client
Init-Secret, PIN and Time Offset are specified in the radius users file.
Normally, this is done using xtradius, executing the script as external
application and giving the arguments to it.
The script answers ACCEPT or FAIL for final auth.
That's it.
I'm stuck here, having MSCHAPv2 clients and an auth script not useable
with MSCHAPv2 auth.
I have also tried this with the supplied PAM motp module, but as you
said this is not possible.
I had successful auths using radtest, but that's all... ;)
I think that what I will try is rewrite the script in perl to generate
the passwords every x seconds to a database and then make freeradius
auth against the db entries.
Do you think this is the best way ?
Thanks again.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
