Thanks a lot Christian. That's the way it should work. More detail on what I want to do:
I want user use active directory information first and then OTP second. So muy thinking is Cisco ASA use RADIUS to talk to freeradius server. The freeradius server talks to the PAM in the server itself. The PAM stack puts active directory first and then oath. I think this should work. Let me try and get you guys back. Lou On Tue, Jun 7, 2011 at 3:51 PM, Christian Hesse <[email protected]> wrote: > Hailu Meng <[email protected]> on Tue, 7 Jun 2011 13:57:51 -0500: > > Hi All, > > > > My plan is to integrate oath toolkit with free radius server. Then we can > > run otp authentication over radius. So any client supporting radius can > use > > otp authentication. Like Cisco ASA. We can put Radius server for > > authentication. Freeradius talk to oath-toolkit for otp authentication. > > That should be possible... > Just enable pam authentication module, should be something like this > in /etc/raddb/sites-enabled/default (or where ever your distribution places > it): > > [...] > authenticate { > [...] > pam > [...] > } > [...] > > Then edit /etc/raddb/modules/pam: > > pam { > pam_auth = radiusd > } > > And make your settings for pam_oath.so in /etc/pam.d/freeradius. > Ok, freeradius is a monster... Probably you need some more settings... But > that's the way to go. Let us know if it works! > -- > Schoene Gruesse > Chris >
