Freeradius Example Configuration¶
Note: For detailed instructions you should check the sample-configs that comes with OTPme.
To use OTPme with freeradius you should add an separate virtualhost and an copy of the mschap module.
modules/mschap_otp
# verify ntlm requests with otpme
mschap mschap_otp {
ntlm_auth = "/usr/local/bin/otpme-auth -l verify_ntlm %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} %{%{mschap_otp:Challenge}:-00} %{%{mschap_otp:NT-Response}:-00} %{NAS-Identifier} %{Client-IP-Address}"
}
If you want to use the virtual host config below you have to comment out all listen directives in radiusd.conf (or the virtualhost) or choose different ips to listen on.
sites-available/otpme
# otpme virtualhost
server otpme {
listen {
# listen on localhost only by default
ipaddr = 127.0.0.1
# listen on public ip
#ipaddr = 192.168.1.1
port = 1812
type = auth
}
# allow requests from localhost
client 127.0.0.1 {
secret = 1234567890
shortname = localhost
}
### add an additional client
##client 192.168.1.2 {
## secret = 0987654321
## shortname = client1
##}
authenticate {
Auth-Type EAP {
eap
}
Auth-Type MS-CHAP {
# use module config mschap_otp for ntlm requests
mschap_otp
}
}
authorize {
eap
# use otpme to for clear-text passwords
if (!control:Auth-Type) {
update control {
Auth-Type := `/usr/local/bin/otpme-auth -l verify %{User-Name} %{User-Password} %{NAS-Identifier} %{Client-IP-Address}`
}
}
}
}
To process EAP you also have to modify the eap.conf file:
eap {
default_eap_type = peap
# only gentoo?
#tls {
# virtual_server = otpme
#}
ttls {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
virtual_server = "otpme"
}
peap {
copy_request_to_tunnel = no
virtual_server = "otpme"
}
}