Re: SV: [Radiusplugin-users] RADIUS challenge support

radiusplugin-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SV: [Radiusplugin-users] RADIUS challenge support

From:	Ralf Lübben
Subject:	Re: SV: [Radiusplugin-users] RADIUS challenge support
Date:	Thu, 8 Jan 2009 16:14:00 +0100
User-agent:	KMail/1.9.10

Hi,

I think this is not possible with OpenVPN, because first the plugin cannot ask 
the OpenVPN server for the one time password and second the OpenVPN server 
cannot ask the OpenVPN client for the one time password.

The only solution I can think about is to use the username and the one time 
password as the normal password during the authentication phase.

See http://www.howtoforge.com/openvpn_wikid_strong_authentication

Regards
Ralf



 

On Thursday 08 January 2009 15:39:52 Robert Svensson wrote:
> Hi,
> I work with a few RADIUS servers that require the handling of RADIUS
> challenge and response to authenticate users. One example is the use of one
> time password token cards. After a successful user name and password
> authentication, the RADIUS server asks the user to input the one time
> password than is then checked against the RADIUS server. In short, the
> plugin needs to support additional user input that is not available to the
> plugin when a user enters her user name and password.
>
> I hope this isn't too confusing.
>
> All the best
> Robert
>
> -----Ursprungligt meddelande-----
> Från: Ralf Lübben [mailto:address@hidden
> Skickat: den 6 januari 2009 21:20
> Till: address@hidden
> Kopia: Robert Svensson
> Ämne: Re: [Radiusplugin-users] RADIUS challenge support
>
> Hi,
>
> right the user would be rejected, the problem is that the plugin itself
> can't communicate with OpenVPN and ask for new attributes. The plugin only
> delivers ERROR or SUCCESS back to OpenVPN. Maybe the assumption is not
> totally right, but I think there is no other way so far. If you need
> additional attributes which should be sent to the radius server, it is no
> problem to add them. In my opinion there is no way to handle a access
> challenge packet from the radius server. You only can send information to
> the radius server which are available in the plugin, but these information
> you can directly add in the access request. Do think there are situations
> where you only should provide information in the access challenge even if
> you could have send them already in the access request?
>
> Ralf
>
> Am Montag 05 Januar 2009 22:15:27 schrieb Robert Svensson:
> > Hi,
> > Will there be support for radius access challenge in the module some day?
> > By looking at the code it seems like a RADIUS access challenge is
> > treated the same way as an ACCESS reject. Is this a correct assumption?
> >
> > Thanx
> > Robert Svensson
> > Mideye AB
> >
> >
> > _______________________________________________
> > Radiusplugin-users mailing list
> > address@hidden
> > http://lists.nongnu.org/mailman/listinfo/radiusplugin-users
>
> _______________________________________________
> Radiusplugin-users mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/radiusplugin-users

[Prev in Thread]

Current Thread

[Next in Thread]

[Radiusplugin-users] RADIUS challenge support, Robert Svensson, 2009/01/05
- Re: [Radiusplugin-users] RADIUS challenge support, Ralf Lübben, 2009/01/06
  - SV: [Radiusplugin-users] RADIUS challenge support, Robert Svensson, 2009/01/08
    - Re: SV: [Radiusplugin-users] RADIUS challenge support, Ralf Lübben <=
    - RE: SV: [Radiusplugin-users] RADIUS challenge support, Robert Svensson, 2009/01/08

Prev by Date: SV: [Radiusplugin-users] RADIUS challenge support
Next by Date: RE: SV: [Radiusplugin-users] RADIUS challenge support
Previous by thread: SV: [Radiusplugin-users] RADIUS challenge support
Next by thread: RE: SV: [Radiusplugin-users] RADIUS challenge support
Index(es):
- Date
- Thread