How to Setup OTP on RADIUS

Following the information on the Mobile OTP site I am going to document my attempt to get XTRadius installed and setup as an OTP authenticator for the masses so people can do single sign on!

To properly enable Single Sign On you need a central place to authenticate against and RADIUS is as good as any to authenticate against.

The reason for using RADIUS is pretty obvious, it has been around since the late 80s and there are a lot of things that will authenticate against it, see the links at the bottom for a list of client authentators.

Install XTRADIUS

Firstly you will need to install RADIUS, so:

apt-get install xtradius
cd /etc/raddb
wget http://motp.sourceforge.net/dictionary.motp
wget http://motp.sourceforge.net/execparams
mv execparams.1 execparams

Next you will need to edit the users file, you can basically delete everything and replace it with the following lines:

DEFAULT Auth-Type = External
 	Exec-Program-Wait = "/usr/bin/otpauth.php %u %w",
 	Fall-Through = Yes

Next edit dictionary and paste this line into the file:

$INCLUDE dictionary.motp

PHP/MySQL Auth Script

Firstly, copy and paste the example code from the One Time Passwords with PHP page into a new file called getotp.php.

Next edit /usr/bin/otpauth.php and paste the following lines:

#!/usr/bin/php -q
<?
	include_once("getotp.php");

	mysql_connect("localhost", "username", "password");
	mysql_select_db("database");

	$username = mysql_real_escape_string($argv['1']);
	$password = mysql_real_escape_string($argv['2']);

	if(checkOTP($username, $password))
	{
		echo "ACCEPT\n";
		die(0);
	}

	echo "FAIL\n";
	die(1);
?>

Other Links

• Authenticating PHP against RADIUS
• Authenticating PAM against RADIUS
• Configuring Windows To Authenticate against RADIUS