Using OTP authentication with Freeradius 2

Greg Woods woods at ucar.edu
Wed Jul 2 23:34:41 CEST 2008


On Wed, 2008-07-02 at 12:33 -0600, Greg Woods wrote:
> On Wed, 2008-07-02 at 17:15 +0100, Ivan Kalik wrote:
> 
> > How sure are you that your auth script works? 
> 
> I'm not using a script. Under 1.1.7 at least, when "otp" is invoked, it
> communicates with otpd using a socket.

I've got more on this; I'm now wondering if I should file a bug report.

First, otpauth always works, both before and after trying it with
freeradius. So I really believe the problem is not with otpd. 

What happens when I run radtest is, the first time, it always produces
an Access-Reject response, whether or not I provide the correct
passcode. The second time I run radtest, it sends radiusd into an
infinite loop. No debugging output is produced after the first
authentication attempt, and that looks like this:


rlm_otp: otp_pwe_present: password attributes 2, 2
++[otp] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type otp
auth: type "otp"
+- entering group authenticate
rlm_otp: otp_pwe_present: password attributes 2, 2

Note that it says that otp returned ok, but it still sends an
Access-Reject response.

I ran radiusd under 'strace', and it shows that it is going into an
infinite loop trying to write to the otpd socket, and getting a "Broken
pipe" error. It will continue to do this, racking up CPU time, until I
kill it.

Does anybody have OTP authentication working with freeradius 2.0.5?
Could something in my configuration be causing this problem, or is it
more likely a bug?

--Greg





More information about the Freeradius-Users mailing list