3.60. <AuthBy OTP> Previous topic Parent topic Child topic Next topic

This module is extensible and customisable to support a range of One-Time-Password (OTP) schemes, including automatic password generation and sending of passwords through a back-channel such as SMS. AuthBy OPT is suitable for authenticating 802.1X Wired and Wireless access with custom one-time password and token card authentication systems.
The default behaviour of AuthBy OTP demonstrates how it can be used and tested, but it is not suitable for use in a production environment: it tells the user the correct password in the challenge. In almost all cases, you will need to develop at least your own ChallengeHook, and possible a VerifyHook to work with your local system.
In the most common use of AuthBy OTP, it will be configured to generate a random password (according to a configurable password pattern) and then send it to the user by SMS or some other channel. AuthBy OTP will then challenge the user to enter the correct password (after they have received it through the SMS system or whatever). In order to achieve this, you must configure at least the ChallengeHook to call some external program that will deliver the password to the user.
AuthBy OTP works with EAP-OTP (One-Time-Password), EAP-GTC (Generic-Token-Card) as well as standard RADIUS PPP dialup. Caution: most PPP clients and modems do not handle OTP challenges very well. AuthBy OTP supports PPP dial-up in the following way: if the user attempts to log in with an empty (zero length) password, the ChallengeHook will be called and the challenge will be sent back to the PPP client. This may result in a message for the user, but often does not, depending on the PPP client on the users computer.
See goodies/otp.cfg for an example configuration file.
You can test AuthBy OTP with the following radpwtst commands:
# Conventional RADIUS PPP
radpwtst -noacct -interactive -password ''
# EAP-OTP authentication
radpwtst -noacct -eapotp
# EAP-GTC auth (with EAPType set to Generic-Token):
# radpwtst -noacct -eapgtc
One-time password system works with PPP dial-up as well as EAP-OTP and EAP-GTC using the well known OPIE one-time password system. For more information, see Section 3.52. <AuthBy OPIE>.