Hi Alan Thanks for your help. It doesn't work yet. Now I get this output. Ready to process requests (0) Received Access-Request Id 17 from 192.168.65.161:59586 to 192.168.65.160:1812 length 71 (0) NAS-Identifier = "vncserver" (0) User-Name = "bw" (0) User-Password = "961473" (0) Message-Authenticator = 0xe83db7a48eb5d19f6170f913a5eca38e (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) update control { (0) Auth-Type := TOTP (0) } # update control = noop (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = noop (0) } # policy filter_username = noop (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "bw", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry bw at line 1 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop Not doing PAP as Auth-Type is already set. (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = TOTP (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Auth-Type TOTP { (0) [totp] = noop (0) } # Auth-Type TOTP = noop (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> bw (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 17 from 192.168.65.160:1812 to 192.168.65.161:59586 length 20 Waking up in 3.9 seconds. (0) Sending duplicate reply to client pc1 port 59586 - ID: 17 Waking up in 8.9 seconds. (0) Cleaning up request packet ID 17 with timestamp +12 due to cleanup_delay was reached Am Do., 13. März 2025 um 10:20 Uhr schrieb Alan DeKok < aland@deployingradius.com>:
On Mar 11, 2025, at 8:56 AM, IT DEB <itdebbw.p@gmail.com> wrote:
Thanks. Sorry im absolutely new to freeradius.
That's fine.
Now i changed in the config to
Why?
You can't make random changes to the configuration, and get them to do what you want. The PAP module checks passwords, and not TOTP. The PAP module sets "Auth-Type := PAP", and the default configuration has the PAP module running inside of "Auth-Type = PAP.
You don't want to change the PAP module to use TOTP. You want to use TOTP *instead* of the PAP module.
If all users are being authenticated using TOTP, you can just edit the "authorize" section, and add:
update control { Auth-Type := TOTP }
And then edit the "authentication" section, and add:
Auth-Type TOTP { totp }
It should then work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html