# radius.cfg - Niels van Sluis, # # Example Radiator configuration file. # # * retrieve mobile number from Directory Server. # * generate and send One-Time Password to mobile number. # * authenticate One-Time Password. LogDir /var/log/radius DbDir /etc/radiator # User a lower trace level in production systems: Trace 7 AuthPort 1812 AcctPort 1813 Secret mysecret Identifier juni-sslvpn # Radiator talks to Microsoft AD. # Try to find mobile number only. Identifier SSLVPN_LDAP Host ldap.example.com BaseDN OU=employees,DC=example,DC=com AuthDN CN=srv_juniper,OU=Service Accounts,DC=example,DC=com AuthPassword ***** HoldServerConnection Timeout 2 UsernameAttr sAMAccountName # Get attribute that contains the mobile number. AuthAttrDef MobileNumber # We don't do authentication. Authentication is done by OTP. NoCheckPassword # Some code to put the mobile number into memory, so it can be used # by OTP. PostSearchHook sub {\ use Radius::Context;\ my $user = $_[1];\ my $attr = ($_[4]->get('MobileNumber'))[0];\ my $context = &Radius::Context::get("otp:$user", 120);\ $context->{mobile_number} = $attr;\ } # Authenticate based on One-Time Password sent to user by SMS. Identifier SSLVPN_OTP EAPType One-Time-Password,Generic-Token ChallengeHook sub {my ($self, $user, $p, $context) = @_;\ $context->{otp_password} = $self->generate_password();\ system('/etc/radiator/otp/sendsms.php', $user, $context->{mobile_number}, $context->{otp_password});\ return "Enter One-Time Password"; \ } Identifier Check-LDAP-and-OTP AuthByPolicy ContinueWhileAccept AuthBy SSLVPN_LDAP AuthBy SSLVPN_OTP RejectHasReason AuthBy Check-LDAP-and-OTP