Freeradius Example Configuration

Note: For detailed instructions you should check the sample-configs that comes with OTPme.

To use OTPme with freeradius you should add an separate virtualhost and an copy of the mschap module.

modules/mschap_otp

# verify ntlm requests with otpme
mschap mschap_otp {
        ntlm_auth = "/usr/local/bin/otpme-auth -l verify_ntlm %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} %{%{mschap_otp:Challenge}:-00} %{%{mschap_otp:NT-Response}:-00} %{NAS-Identifier} %{Client-IP-Address}" 
}

If you want to use the virtual host config below you have to comment out all listen directives in radiusd.conf (or the virtualhost) or choose different ips to listen on.

sites-available/otpme

# otpme virtualhost
server otpme {
        listen {
                # listen on localhost only by default
                ipaddr = 127.0.0.1

                # listen on public ip
                #ipaddr = 192.168.1.1

                port = 1812
                type = auth
        }

        # allow requests from localhost
        client 127.0.0.1 {
                secret          = 1234567890
                shortname       = localhost
        }

        ### add an additional client
        ##client 192.168.1.2 {
        ##      secret          = 0987654321
        ##      shortname       = client1
        ##}

        authenticate {
                Auth-Type EAP {
                        eap
                }

                Auth-Type MS-CHAP {
                        # use module config mschap_otp for ntlm requests
                        mschap_otp
                }
        }

        authorize {
                eap

                # use otpme to for clear-text passwords
                if (!control:Auth-Type) {
                        update control {
                                Auth-Type := `/usr/local/bin/otpme-auth -l verify %{User-Name} %{User-Password} %{NAS-Identifier} %{Client-IP-Address}`
                        }
                }
        }
}

To process EAP you also have to modify the eap.conf file:

eap {   
        default_eap_type = peap

        # only gentoo?
        #tls {
        #       virtual_server = otpme
        #}

        ttls {  
                default_eap_type = mschapv2
                copy_request_to_tunnel = yes
                virtual_server = "otpme" 
        }

        peap {  
                copy_request_to_tunnel = no
                virtual_server = "otpme" 
        }
}