I apologize but the previous logs were incorrect, it was an output log using just username + password. This is the output from radiusd -X when using username + password + passcode: Ready to process requests (0) Received Access-Request Id 105 from 192.168.1.10:45091 to 192.168.1.10:1812 length 73 (0) User-Name = "bob" (0) User-Password = "mypassword002434" (0) NAS-IP-Address = 192.168.1.10 (0) NAS-Port = 1812 (0) Message-Authenticator = 0x4877740bffa9041ce041994eb5764c90 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) files: users: Matched entry bob at line 1 (0) files: EXPAND Hello %{User-Name} THE BUILDER :D (0) files: --> Hello bob THE BUILDER :D (0) [files] = ok (0) if (User-Password !~ /^(.*)([0-9]{6})$/) { (0) if (User-Password !~ /^(.*)([0-9]{6})$/) -> FALSE (0) update request { (0) EXPAND %{1} (0) --> mypassword (0) User-Password := mypassword (0) EXPAND %{2} (0) --> 002434 (0) TOTP-Password := 002434 (0) } # update request = noop (0) if (&User-Name == "bob") { (0) if (&User-Name == "bob") -> TRUE (0) if (&User-Name == "bob") { (0) update control { (0) TOTP-Secret := JJBFGV2ZGNCFARKIKBFTGUCYKA====== (0) } # update control = noop (0) } # if (&User-Name == "bob") = noop (0) update reply { (0) reply-Message := TOTP-Password -> '002434' (0) No attributes updated for RHS TOTP-Secret (0) reply-Message := User-Password -> 'mypassword' (0) } # update reply = noop (0) [totp.authenticate] = fail (0) } # authorize = fail (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> bob (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 105 from 192.168.1.10:1812 to 192.168.1.10:45091 length 32 (0) Reply-Message := "mypassword" Waking up in 3.9 seconds. (0) Cleaning up request packet ID 105 with timestamp +38 due to cleanup_delay was reached Ready to process requests Thank you! João Miguel Regateiro <jmregateiro@gmail.com> escreveu no dia terça, 20/06/2023 à(s) 10:06:
Hello,
I am working on a TOTP authentication method setup with FreeRadius. For starters I created the user “bob” on raddb/users and defined a password to authenticate against the server I have got it to work with just normal user and password but when I try to configure the TOTP module and testing using radiusd -X it shows the totp.authenticate the return fail. I have made sure that the date time is the same UTC +00 on all the environments, and generate the TOTP token with sha-1, 6 digits code and 30seconds time frame. [Generate token in base 32 = JJBFGV2ZGNCFARKIKBFTGUCYKA====== ] and [Generate default token = JBSWY3DPEHPK3PXP ]
This is the configuration file for sites-enable/default:
authorize{ #TOTP Authorize if (User-Password !~ /^(.*)([0-9]{6})$/) { reject }
update request { User-Password := "%{1}" TOTP-Password := "%{2}" } #Example Use BOB if (&User-Name == "bob") { update control { TOTP-Secret := JJBFGV2ZGNCFARKIKBFTGUCYKA====== } } totp.authenticate if (!ok) { reject } pap }
authenticate { Auth-Type PAP { pap } }
This is the configuration file of clients.conf : Client network-device { ipaddr = 192.168.1.0/24 secret = testing123 }
Note: I have test to send the TOTP-Secret via update control or update request, and that gave me different output when call TOTP.authenticate returns fail or noop .
Radius client test: radtest -t pap bob password123456 192.168.1.10:1812 1812 testing123
output radiusd -X
Ready to process requests (0) Received Access-Request Id 38 from 192.168.1.10:48110 to 192.168.1.10:1812 length 73 (0) User-Name = "bob" (0) User-Password = "password" (0) NAS-IP-Address = 192.168.1.10 (0) NAS-Port = 1812 (0) Message-Authenticator = 0x66c57ad78dea99a37b8edcf8c79ab46d (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log: --> /var/log/radius/radacct/ 192.168.1.10/auth-detail-20230619 (0) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.10/auth-detail-20230619 (0) auth_log: EXPAND %t (0) auth_log: --> Mon Jun 19 16:05:09 2023 (0) [auth_log] = ok (0) files: users: Matched entry bob at line 1 (0) files: EXPAND Hello %{User-Name} THE BUILDER :D (0) files: --> Hello bob THE BUILDER :D (0) [files] = ok (0) if (User-Password !~ /^(.*)([0-9]{6})$/) { (0) if (User-Password !~ /^(.*)([0-9]{6})$/) -> TRUE (0) if (User-Password !~ /^(.*)([0-9]{6})$/) { (0) [reject] = reject (0) } # if (User-Password !~ /^(.*)([0-9]{6})$/) = reject (0) } # authorize = reject (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> bob (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 38 from 192.168.1.10:1812 to 192.168.1.10:48110 length 47 (0) Reply-Message = "Hello bob THE BUILDER :D " Waking up in 3.9 seconds. (0) Cleaning up request packet ID 38 with timestamp +3 due to cleanup_delay was reached Ready to process requests
Please let me know if you can help me on this 🙂 Thank you!
Best regards, Miguel