OUR SITES NetworkRADIUS FreeRADIUS

If there’s no State attribute, then this is the request from the user.

Do authentication for step 2. Set the "known good" password to the number saved in the session-state list.

If the password doesn’t match, the user is rejected immediately.

Set the random number to save.

Send an Access-Challenge. See raddb/policy.d/control for the definition of "challenge"

Do PAP authentication with the password.

Default Configuration

#	This file gives an example of using Challenge-Response
#	In this example, the user logs in with a password, which has
#	to be "hello".  The server will send them a challenge
#	consisting of a random number 0..9.  The user has to respond
#	with that number.
server challenge {
	namespace = radius
	dictionary {
		uint32 challenge-string
	}
	listen {
		type = Access-Request
		transport = udp
		udp {
			ipaddr = *
			port = 2000
		}
	}
recv Access-Request {
	if (!&State) {
		&control.Auth-Type := ::Step1
		&control.Password.Cleartext := "hello"
	}
	else {
		&control.Auth-Type := ::Step2
		&control.Password.Cleartext := &session-state.challenge-string
	}
}
authenticate step1 {
	pap
	&session-state.challenge-string := "%randstr(n)"
	&reply.Reply-Message := "Please enter %{session-state.challenge-string}: "
	challenge
}
authenticate step2 {
	pap
}
}