#  -*- text -*-
#  $Id: 7f9f56718b6b774b5168c2da20698c1075cfa6cb $

#######################################################################

#
#	This file gives an example of using Challenge-Response
#
#	In this example, the user logs in with a password, which has
#	to be "hello".  The server will send them a challenge
#	consisting of a random number 0..9.  The user has to respond
#	with that number.
#
server challenge {
	namespace = radius

	dictionary {
		uint32 challenge-string
	}

	listen {
		type = Access-Request
		transport = udp

		udp {
			ipaddr = *
			port = 2000
		}
	}

recv Access-Request {

	#
	#  If there's no State attribute, then this is the request from
	#  the user.
	#
	if (!&State) {
		&control.Auth-Type := ::Step1
		&control.Password.Cleartext := "hello"
	}
	else {
		#
		#  Do authentication for step 2.
		#  Set the "known good" password to the number
		#  saved in the session-state list.
		#
		&control.Auth-Type := ::Step2
		&control.Password.Cleartext := &session-state.challenge-string
	}
}


authenticate step1 {
	#  If the password doesn't match, the user is rejected
	#  immediately.
	pap

	#
	#  Set the random number to save.
	#
	&session-state.challenge-string := "%randstr(n)"
	&reply.Reply-Message := "Please enter %{session-state.challenge-string}: "

	#
	#  Send an Access-Challenge.
	#  See raddb/policy.d/control for the definition
	#  of "challenge"
	#
	challenge
}

authenticate step2 {
	#
	#  Do PAP authentication with the password.
	#
	pap
}
}
