Freeradius Example Configuration¶
Note: For detailed instructions you should check the sample-configs that comes with OTPme.
To use OTPme with freeradius you should add an separate virtualhost and an copy of the mschap module.
modules/mschap_otp
# verify ntlm requests with otpme mschap mschap_otp { ntlm_auth = "/usr/local/bin/otpme-auth -l verify_ntlm %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} %{%{mschap_otp:Challenge}:-00} %{%{mschap_otp:NT-Response}:-00} %{NAS-Identifier} %{Client-IP-Address}" }
If you want to use the virtual host config below you have to comment out all listen directives in radiusd.conf (or the virtualhost) or choose different ips to listen on.
sites-available/otpme
# otpme virtualhost server otpme { listen { # listen on localhost only by default ipaddr = 127.0.0.1 # listen on public ip #ipaddr = 192.168.1.1 port = 1812 type = auth } # allow requests from localhost client 127.0.0.1 { secret = 1234567890 shortname = localhost } ### add an additional client ##client 192.168.1.2 { ## secret = 0987654321 ## shortname = client1 ##} authenticate { Auth-Type EAP { eap } Auth-Type MS-CHAP { # use module config mschap_otp for ntlm requests mschap_otp } } authorize { eap # use otpme to for clear-text passwords if (!control:Auth-Type) { update control { Auth-Type := `/usr/local/bin/otpme-auth -l verify %{User-Name} %{User-Password} %{NAS-Identifier} %{Client-IP-Address}` } } } }
To process EAP you also have to modify the eap.conf file:
eap { default_eap_type = peap # only gentoo? #tls { # virtual_server = otpme #} ttls { default_eap_type = mschapv2 copy_request_to_tunnel = yes virtual_server = "otpme" } peap { copy_request_to_tunnel = no virtual_server = "otpme" } }