summaryrefslogtreecommitdiffstats
path: root/raddb/sites-available/challenge
blob: c3aeb0865bbfc52be9690e396196b89a2e1ae761 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123

#
#	This file gives an example of using Challenge-Response
#
#	In this example, the user logs in with a password, which has
#	to be "hello".  The server will send them a challenge
#	consisting of a random number 0..9.  The user has to respond
#	with that number.
#
#
#	$Id$
#
listen {
	type = auth
	ipaddr = *
	port = 2000
	virtual_server = challenge
}

server challenge {
authorize {
	#
	#  OTP requires a password.
	#
	if (!User-Password) {
		reject
	}

	#
	#  If there's no State attribute, then this is the first
	#  request from the user.
	#
	if (!State) {
		#
		#  Set the authentication to use step 1.
		update control {
			Auth-Type := Step1

			#
			#  For testing we will just set the password to "hello".
			#
			#  Normally the password comes from "ldap" or "sql".
			#
			Cleartext-Password := "hello"

#			ldap
#			sql
#			...
		}
	}
	else {
		#
		#  Check that the password looks like an OTP
		#
		if (User-Password !~ /[0-9]{6}/) {
			reject
		}

		#
		#  Set the authentication to use step 2.
		#  Set the "known good" password to the number
		#  saved in the session-state list.
		#
		update control {
			Auth-Type := Step2

			#
			#  For testing, ensure that the user enters the same password.
			#
			#  Normally this section should look up a TOTP-Secret, and
			#
			Cleartext-Password := &session-state:Tmp-Integer-0

			#
			#  Normally this section should also set &control:TOTP-Secret, too.
			#
			TOTP-Password := &User-Password
		}
	}
}

authenticate {
	Auth-Type Step1 {
		#  If the password doesn't match, the user is rejected
		#  immediately.
		pap

		#
		#  For testing, just use a 6 digit random OTP.
		#
		update session-state {
			Tmp-Integer-0 := "%{randstr:nnnnnn}"
		}

		#
		#  For testing, tell the user what OTP to enter.
		#
		#  Don't do this in production...
		#
		update reply {
			Reply-Message := "Please enter OTP %{session-state:Tmp-Integer-0}"
		}

		#
		#  Send an Access-Challenge.
		#  See raddb/policy.d/control for the definition
		#  of "challenge"
		#
		challenge
	}

	Auth-Type Step2 {
		#
		#  For testing, do PAP authentication with the password.
		#
		pap

		#
		#  Normally you'd do TOTP checks via the TOTP module.
		#
#		totp
	}
}
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-19 19:30:41 +0000