summaryrefslogtreecommitdiffstats
path: root/raddb/sites-available/challenge
diff options
context:
space:
mode:
Diffstat (limited to 'raddb/sites-available/challenge')
-rw-r--r--raddb/sites-available/challenge123
1 files changed, 123 insertions, 0 deletions
diff --git a/raddb/sites-available/challenge b/raddb/sites-available/challenge
new file mode 100644
index 0000000..c3aeb08
--- /dev/null
+++ b/raddb/sites-available/challenge
@@ -0,0 +1,123 @@
+#
+# This file gives an example of using Challenge-Response
+#
+# In this example, the user logs in with a password, which has
+# to be "hello". The server will send them a challenge
+# consisting of a random number 0..9. The user has to respond
+# with that number.
+#
+#
+# $Id$
+#
+listen {
+ type = auth
+ ipaddr = *
+ port = 2000
+ virtual_server = challenge
+}
+
+server challenge {
+authorize {
+ #
+ # OTP requires a password.
+ #
+ if (!User-Password) {
+ reject
+ }
+
+ #
+ # If there's no State attribute, then this is the first
+ # request from the user.
+ #
+ if (!State) {
+ #
+ # Set the authentication to use step 1.
+ update control {
+ Auth-Type := Step1
+
+ #
+ # For testing we will just set the password to "hello".
+ #
+ # Normally the password comes from "ldap" or "sql".
+ #
+ Cleartext-Password := "hello"
+
+# ldap
+# sql
+# ...
+ }
+ }
+ else {
+ #
+ # Check that the password looks like an OTP
+ #
+ if (User-Password !~ /[0-9]{6}/) {
+ reject
+ }
+
+ #
+ # Set the authentication to use step 2.
+ # Set the "known good" password to the number
+ # saved in the session-state list.
+ #
+ update control {
+ Auth-Type := Step2
+
+ #
+ # For testing, ensure that the user enters the same password.
+ #
+ # Normally this section should look up a TOTP-Secret, and
+ #
+ Cleartext-Password := &session-state:Tmp-Integer-0
+
+ #
+ # Normally this section should also set &control:TOTP-Secret, too.
+ #
+ TOTP-Password := &User-Password
+ }
+ }
+}
+
+authenticate {
+ Auth-Type Step1 {
+ # If the password doesn't match, the user is rejected
+ # immediately.
+ pap
+
+ #
+ # For testing, just use a 6 digit random OTP.
+ #
+ update session-state {
+ Tmp-Integer-0 := "%{randstr:nnnnnn}"
+ }
+
+ #
+ # For testing, tell the user what OTP to enter.
+ #
+ # Don't do this in production...
+ #
+ update reply {
+ Reply-Message := "Please enter OTP %{session-state:Tmp-Integer-0}"
+ }
+
+ #
+ # Send an Access-Challenge.
+ # See raddb/policy.d/control for the definition
+ # of "challenge"
+ #
+ challenge
+ }
+
+ Auth-Type Step2 {
+ #
+ # For testing, do PAP authentication with the password.
+ #
+ pap
+
+ #
+ # Normally you'd do TOTP checks via the TOTP module.
+ #
+# totp
+ }
+}
+}