[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: SV: [Radiusplugin-users] RADIUS challenge support
|
From: |
Robert Svensson |
|
Subject: |
RE: SV: [Radiusplugin-users] RADIUS challenge support |
|
Date: |
Thu, 8 Jan 2009 20:11:40 +0100 |
Hi,
Wouldn't it be possible to present the access challenge message, ask for input
and then send the packet to the RADIUS server for authentication.
I did a quick hack of the source code and was able to filer out the
access-challenge (code 11). But I guess sending back additional input to the
RADIUS server is far more complicated that that?
Thanx
Robert
________________________________________
From: Ralf Lübben address@hidden
Sent: Thursday, January 08, 2009 4:14 PM
To: address@hidden
Cc: Robert Svensson
Subject: Re: SV: [Radiusplugin-users] RADIUS challenge support
Hi,
I think this is not possible with OpenVPN, because first the plugin cannot ask
the OpenVPN server for the one time password and second the OpenVPN server
cannot ask the OpenVPN client for the one time password.
The only solution I can think about is to use the username and the one time
password as the normal password during the authentication phase.
See http://www.howtoforge.com/openvpn_wikid_strong_authentication
Regards
Ralf
On Thursday 08 January 2009 15:39:52 Robert Svensson wrote:
> Hi,
> I work with a few RADIUS servers that require the handling of RADIUS
> challenge and response to authenticate users. One example is the use of one
> time password token cards. After a successful user name and password
> authentication, the RADIUS server asks the user to input the one time
> password than is then checked against the RADIUS server. In short, the
> plugin needs to support additional user input that is not available to the
> plugin when a user enters her user name and password.
>
> I hope this isn't too confusing.
>
> All the best
> Robert
>
> -----Ursprungligt meddelande-----
> Från: Ralf Lübben [mailto:address@hidden
> Skickat: den 6 januari 2009 21:20
> Till: address@hidden
> Kopia: Robert Svensson
> Ämne: Re: [Radiusplugin-users] RADIUS challenge support
>
> Hi,
>
> right the user would be rejected, the problem is that the plugin itself
> can't communicate with OpenVPN and ask for new attributes. The plugin only
> delivers ERROR or SUCCESS back to OpenVPN. Maybe the assumption is not
> totally right, but I think there is no other way so far. If you need
> additional attributes which should be sent to the radius server, it is no
> problem to add them. In my opinion there is no way to handle a access
> challenge packet from the radius server. You only can send information to
> the radius server which are available in the plugin, but these information
> you can directly add in the access request. Do think there are situations
> where you only should provide information in the access challenge even if
> you could have send them already in the access request?
>
> Ralf
>
> Am Montag 05 Januar 2009 22:15:27 schrieb Robert Svensson:
> > Hi,
> > Will there be support for radius access challenge in the module some day?
> > By looking at the code it seems like a RADIUS access challenge is
> > treated the same way as an ACCESS reject. Is this a correct assumption?
> >
> > Thanx
> > Robert Svensson
> > Mideye AB
> >
> >
> > _______________________________________________
> > Radiusplugin-users mailing list
> > address@hidden
> > http://lists.nongnu.org/mailman/listinfo/radiusplugin-users
>
> _______________________________________________
> Radiusplugin-users mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/radiusplugin-users