Hi Ivan.
exec motp {
wait = yes
program = "/usr/local/bin/otpverify.sh %{User-Name}
%{User-Password} %{reply:Secret} %{reply:PIN} %{reply:Offset}"
input_pairs = request
output_pairs = config
}
You have changed them to reply items ...
/etc/freeradius/users:
DEFAULT Auth-Type = Accept
Exec-Program-Wait = "/usr/local/bin/otpverify.sh '%{User-Name}'
'%{User-Password}' '%{reply:Secret}' '%{reply:PIN}' '%{reply:Offset}'",
Fall-Through = Yes
user1 Secret:=143a5c6fa125ac1f, PIN:=1234, Offset:=0
... but configured them as check items. Revert to original exec line and
place user entry *above* DEFAULT entry.
Thanks for your advice.
I configured the users-file described above, but it didn't work. Now I
can see, that freeradius never calls the external script.
It seems, that freeradius never uses the "MOTP"-Auth-type:
[...]
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.82.40 port 1026,
id=109, length=78
User-Name = "user1"
User-Password = "secret"
Service-Type = Authenticate-Only
NAS-Identifier = "debian.local"
NAS-IP-Address = 192.168.82.40
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
users: Matched entry user1 at line 3
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "secret"
rlm_pap: Using CRYPT encryption.
rlm_pap: Passwords don't match
++[pap] returns reject
auth: Failed to validate the user.
Login incorrect (rlm_pap: CRYPT password check failed): [user1/secret]
(from client 192.168.82.40 port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> user1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.82.40 port 1026,
id=109, length=78
Waiting to send Access-Reject to client 192.168.82.40 port 1026 - ID: 109
Sending delayed reject for request 0
Sending Access-Reject of id 109 to 192.168.82.40 port 1026
Waking up in 4.9 seconds.
Cleaning up request 0 ID 109 with timestamp +17
Ready to process requests.
Do I need to configure something in the authorize-section or somewhere
else ??
Thank you for your help.
Stefan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
