ansible/roles/radius/files/raddb/modules/otp

#
#  Configuration for the OTP module.
#

#  This module allows you to use various handheld OTP tokens
#  for authentication (Auth-Type := otp).  These tokens are
#  available from various vendors.
#
#  It works in conjunction with otpd, which implements token
#  management and OTP verification functions; and lsmd or gsmd,
#  which implements synchronous state management functions.
#  otpd, lsmd and gsmd are available from TRI-D Systems:
#              <http://www.tri-dsystems.com/>

#  You must list this module in BOTH the authorize and authenticate
#  sections in order to use it.
otp {
	# otpd rendezvous point.
	# (default: /var/run/otpd/socket)
	#otpd_rp = /var/run/otpd/socket

	# Text to use for the challenge.  The '%' character is
	# disallowed, except that you MUST have a single "%s"
	# sequence in the string; the challenge itself is
	# inserted there.  (default "Challenge: %s\n Response: ")
	#challenge_prompt = "Challenge: %s\n Response: "

	# Length of the challenge.  Most tokens probably support a
	# max of 8 digits.  (range: 5-32 digits, default 6)
	#challenge_length = 6

	# Maximum time, in seconds, that a challenge is valid.
	# (The user must respond to a challenge within this time.)
	# It is also the minimal time between consecutive async mode
	# authentications, a necessary restriction due to an inherent
	# weakness of the RADIUS protocol which allows replay attacks.
	# (default: 30)
	#challenge_delay = 30

	# Whether or not to allow asynchronous ("pure" challenge/
	# response) mode authentication.  Since sync mode is much more
	# usable, and all reasonable tokens support it, the typical
	# use of async mode is to allow resync of event based tokens.
	# But because of the vulnerability of async mode with some tokens,
	# you probably want to disable this and require that out-of-sync
	# users resync from specifically secured terminals.
	# See the otpd docs for more info.
	# (default: no)
	#allow_async = no

	# Whether or not to allow synchronous mode authentication.
	# When using otpd with lsmd, it is *CRITICALLY IMPORTANT*
	# that if your OTP users can authenticate to multiple RADIUS
	# servers, this must be "yes" for the primary/default server,
	# and "no" for the others.  This is because lsmd does not
	# share state information across multiple servers.  Using "yes"
	# on all your RADIUS servers would allow replay attacks!
	# Also, for event based tokens, the user will be out of sync
	# on the "other" servers.  In order to use "yes" on all your
	# servers, you must either use gsmd, which synchronizes state
	# globally, or implement your own state synchronization method.
	# (default: yes)
	#allow_sync = yes

	# If both allow_async and allow_sync are "yes", a challenge is
	# always presented to the user.  This is incompatible with NAS's
	# that can't present or don't handle Access-Challenge's, e.g.
	# PPTP servers.  Even though a challenge is presented, the user
	# can still enter their synchronous passcode.

	# The following are MPPE settings.  Note that MS-CHAP (v1) is
	# strongly discouraged.  All possible values are listed as
	# {value = meaning}.  Default values are first.
	#mschapv2_mppe = {2 = required, 1 = optional, 0 = forbidden}
	#mschapv2_mppe_bits = {2 = 128, 1 = 128 or 40, 0 = 40}
	#mschap_mppe = {2 = required, 1 = optional, 0 = forbidden}
	#mschap_mppe_bits = {2 = 128}
}
Add (free)radius role. 2017-02-21 20:20:04 +01:00			`#`
			`# Configuration for the OTP module.`
			`#`

			`# This module allows you to use various handheld OTP tokens`
			`# for authentication (Auth-Type := otp). These tokens are`
			`# available from various vendors.`
			`#`
			`# It works in conjunction with otpd, which implements token`
			`# management and OTP verification functions; and lsmd or gsmd,`
			`# which implements synchronous state management functions.`
			`# otpd, lsmd and gsmd are available from TRI-D Systems:`
			`# <http://www.tri-dsystems.com/>`

			`# You must list this module in BOTH the authorize and authenticate`
			`# sections in order to use it.`
			`otp {`
			`# otpd rendezvous point.`
			`# (default: /var/run/otpd/socket)`
			`#otpd_rp = /var/run/otpd/socket`

			`# Text to use for the challenge. The '%' character is`
			`# disallowed, except that you MUST have a single "%s"`
			`# sequence in the string; the challenge itself is`
			`# inserted there. (default "Challenge: %s\n Response: ")`
			`#challenge_prompt = "Challenge: %s\n Response: "`

			`# Length of the challenge. Most tokens probably support a`
			`# max of 8 digits. (range: 5-32 digits, default 6)`
			`#challenge_length = 6`

			`# Maximum time, in seconds, that a challenge is valid.`
			`# (The user must respond to a challenge within this time.)`
			`# It is also the minimal time between consecutive async mode`
			`# authentications, a necessary restriction due to an inherent`
			`# weakness of the RADIUS protocol which allows replay attacks.`
			`# (default: 30)`
			`#challenge_delay = 30`

			`# Whether or not to allow asynchronous ("pure" challenge/`
			`# response) mode authentication. Since sync mode is much more`
			`# usable, and all reasonable tokens support it, the typical`
			`# use of async mode is to allow resync of event based tokens.`
			`# But because of the vulnerability of async mode with some tokens,`
			`# you probably want to disable this and require that out-of-sync`
			`# users resync from specifically secured terminals.`
			`# See the otpd docs for more info.`
			`# (default: no)`
			`#allow_async = no`

			`# Whether or not to allow synchronous mode authentication.`
			`# When using otpd with lsmd, it is CRITICALLY IMPORTANT`
			`# that if your OTP users can authenticate to multiple RADIUS`
			`# servers, this must be "yes" for the primary/default server,`
			`# and "no" for the others. This is because lsmd does not`
			`# share state information across multiple servers. Using "yes"`
			`# on all your RADIUS servers would allow replay attacks!`
			`# Also, for event based tokens, the user will be out of sync`
			`# on the "other" servers. In order to use "yes" on all your`
			`# servers, you must either use gsmd, which synchronizes state`
			`# globally, or implement your own state synchronization method.`
			`# (default: yes)`
			`#allow_sync = yes`

			`# If both allow_async and allow_sync are "yes", a challenge is`
			`# always presented to the user. This is incompatible with NAS's`
			`# that can't present or don't handle Access-Challenge's, e.g.`
			`# PPTP servers. Even though a challenge is presented, the user`
			`# can still enter their synchronous passcode.`

			`# The following are MPPE settings. Note that MS-CHAP (v1) is`
			`# strongly discouraged. All possible values are listed as`
			`# {value = meaning}. Default values are first.`
			`#mschapv2_mppe = {2 = required, 1 = optional, 0 = forbidden}`
			`#mschapv2_mppe_bits = {2 = 128, 1 = 128 or 40, 0 = 40}`
			`#mschap_mppe = {2 = required, 1 = optional, 0 = forbidden}`
			`#mschap_mppe_bits = {2 = 128}`
			`}`