I am trying a simple TOTP authentication with the TOTP module. The idea is that the user only has to enter the OTP via Radius and is authenticated. Freeradius starts but the authentication does not work. See below config and output. Thanks itdeb ############################################################################ #clients.conf File client pc1 { ipaddr = 192.168.65.161 secret = testing12345 } #users File bw TOTP-Secret := "JBSWY3DPEHPK3PXP" #default File Auth-Type CHAP { totp } #totp File totp { time_step = 30 otp_length = 6 lookback_steps = 1 lookback_interval = 30 } ############################################################################ ############################################################################ Ready to process requests (0) Received Access-Request Id 23 from 192.168.65.161:60716 to 192.168.65.160:1812 length 72 (0) NAS-Identifier = "vncserver" (0) User-Name = "bw" (0) CHAP-Password = 0x00549ccaa7d52c08fd1655bce475bdd1d9 (0) Message-Authenticator = 0x30156802c7f5b5504b3d1fdd42943c0b (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) chap: &control:Auth-Type := CHAP (0) [chap] = ok (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "bw", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry bw at line 1 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop Not doing PAP as Auth-Type is already set. (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = CHAP (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Auth-Type CHAP { (0) [totp] = noop (0) } # Auth-Type CHAP = noop (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> bw (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 23 from 192.168.65.160:1812 to 192.168.65.161:60716 length 20 Waking up in 3.9 seconds. (0) Sending duplicate reply to client pc1 port 60716 - ID: 23 Waking up in 8.9 seconds. (0) Cleaning up request packet ID 23 with timestamp +34 due to cleanup_delay was reached Ready to process requests ############################################################################