Untitled :: The FreeRADIUS project

#	This file gives an example of using Challenge-Response

#	In this example, the user logs in with a password, which has
#	to be "hello".  The server will send them a challenge
#	consisting of a random number 0..9.  The user has to respond
#	with that number.

server challenge {
	namespace = radius

	dictionary {
		uint32 challenge-string
	}

	listen {
		type = Access-Request
		transport = udp

		udp {
			ipaddr = *
			port = 2000
		}
	}

recv Access-Request {

If there’s no State attribute, then this is the request from the user.

	if (!State) {
		control.Auth-Type := ::Step1
		control.Password.Cleartext := "hello"
	}
	else {

Do authentication for step 2. Set the "known good" password to the number saved in the session-state list.

		control.Auth-Type := ::Step2
		control.Password.Cleartext := session-state.challenge-string
	}
}

authenticate step1 {

If the password doesn’t match, the user is rejected immediately.

pap

Set the random number to save.

	session-state.challenge-string := "%randstr(n)"
	reply.Reply-Message := "Please enter %{session-state.challenge-string}: "

Send an Access-Challenge. See raddb/policy.d/control for the definition of "challenge"

	challenge
}

authenticate step2 {

Do PAP authentication with the password.

	pap
}
}

Default Configuration