If there’s no State attribute, then this is the request from the user.
Do authentication for step 2. Set the "known good" password to the number saved in the session-state list.
If the password doesn’t match, the user is rejected immediately.
Set the random number to save.
Send an Access-Challenge. See raddb/policy.d/control for the definition of "challenge"
Do PAP authentication with the password.
Default Configuration
# This file gives an example of using Challenge-Response
# In this example, the user logs in with a password, which has
# to be "hello". The server will send them a challenge
# consisting of a random number 0..9. The user has to respond
# with that number.
server challenge {
namespace = radius
dictionary {
uint32 challenge-string
}
listen {
type = Access-Request
transport = udp
udp {
ipaddr = *
port = 2000
}
}
recv Access-Request {
if (!&State) {
&control.Auth-Type := ::Step1
&control.Password.Cleartext := "hello"
}
else {
&control.Auth-Type := ::Step2
&control.Password.Cleartext := &session-state.challenge-string
}
}
authenticate step1 {
pap
&session-state.challenge-string := "%randstr(n)"
&reply.Reply-Message := "Please enter %{session-state.challenge-string}: "
challenge
}
authenticate step2 {
pap
}
}