#
#	This file gives an example of using Challenge-Response
#
#	In this example, the user logs in with a password, which has
#	to be "hello".  The server will send them a challenge
#	consisting of a random number 0..9.  The user has to respond
#	with that number.
#
#
#	$Id: 24c9b2546eb2a62fb60b31fa5add4537b6536a31 $
#
listen {
	type = auth
	ipaddr = *
	port = 2000
	virtual_server = challenge
}

server challenge {
authorize {

	#
	#  If ther's no State attribute, then this is the request from
	#  the user.
	#
	if (!State) {
		update control {
			Auth-Type := Step1
			Cleartext-Password := "hello"
		}
	}
	else {
		#
		#  Do authentication for step 2.
		#  Set the "known good" password to the number
		#  saved in the session-state list.
		#
		update control {
			Auth-Type := Step2
			Cleartext-Password := &session-state:Tmp-Integer-0
		}
	}
}

authenticate {
	Auth-Type Step1 {
		#  If the password doesn't match, the user is rejected
		#  immediately.
		pap

		#
		#  Set the random number to save.
		#
		update session-state {
			Tmp-Integer-0 := "%{randstr:n}"
		}
		update reply {
			Reply-Message := &session-state:Tmp-Integer-0
		}

		#
		#  Send an Access-Challenge.
		#  See raddb/policy.d/control for the definition
		#  of "challenge"
		#
		challenge
	}

	Auth-Type Step2 {
		#
		#  Do PAP authentication with the password.
		#
		pap
	}
}
}