Hello, I am working on a TOTP authentication method setup with FreeRadius. For starters I created the user “bob” on raddb/users and defined a password to authenticate against the server I have got it to work with just normal user and password but when I try to configure the TOTP module and testing using radiusd -X it shows the totp.authenticate the return fail. I have made sure that the date time is the same UTC +00 on all the environments, and generate the TOTP token with sha-1, 6 digits code and 30seconds time frame. [Generate token in base 32 = JJBFGV2ZGNCFARKIKBFTGUCYKA====== ] and [Generate default token = JBSWY3DPEHPK3PXP ] This is the configuration file for sites-enable/default: authorize{ #TOTP Authorize if (User-Password !~ /^(.*)([0-9]{6})$/) { reject } update request { User-Password := "%{1}" TOTP-Password := "%{2}" } #Example Use BOB if (&User-Name == "bob") { update control { TOTP-Secret := JJBFGV2ZGNCFARKIKBFTGUCYKA====== } } totp.authenticate if (!ok) { reject } pap } authenticate { Auth-Type PAP { pap } } This is the configuration file of clients.conf : Client network-device { ipaddr = 192.168.1.0/24 secret = testing123 } Note: I have test to send the TOTP-Secret via update control or update request, and that gave me different output when call TOTP.authenticate returns fail or noop . Radius client test: radtest -t pap bob password123456 192.168.1.10:1812 1812 testing123 output radiusd -X Ready to process requests (0) Received Access-Request Id 38 from 192.168.1.10:48110 to 192.168.1.10:1812 length 73 (0) User-Name = "bob" (0) User-Password = "password" (0) NAS-IP-Address = 192.168.1.10 (0) NAS-Port = 1812 (0) Message-Authenticator = 0x66c57ad78dea99a37b8edcf8c79ab46d (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log: --> /var/log/radius/radacct/ 192.168.1.10/auth-detail-20230619 (0) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.10/auth-detail-20230619 (0) auth_log: EXPAND %t (0) auth_log: --> Mon Jun 19 16:05:09 2023 (0) [auth_log] = ok (0) files: users: Matched entry bob at line 1 (0) files: EXPAND Hello %{User-Name} THE BUILDER :D (0) files: --> Hello bob THE BUILDER :D (0) [files] = ok (0) if (User-Password !~ /^(.*)([0-9]{6})$/) { (0) if (User-Password !~ /^(.*)([0-9]{6})$/) -> TRUE (0) if (User-Password !~ /^(.*)([0-9]{6})$/) { (0) [reject] = reject (0) } # if (User-Password !~ /^(.*)([0-9]{6})$/) = reject (0) } # authorize = reject (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> bob (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 38 from 192.168.1.10:1812 to 192.168.1.10:48110 length 47 (0) Reply-Message = "Hello bob THE BUILDER :D " Waking up in 3.9 seconds. (0) Cleaning up request packet ID 38 with timestamp +3 due to cleanup_delay was reached Ready to process requests Please let me know if you can help me on this 🙂 Thank you! Best regards, Miguel