Hi there, Thanks for the previous response. Now I came across with two different problems, the first is with building the rlm_totp module and the second is during decoding the totp secret. I was able to get the correct totp and authenticate successfully even though the make totp returned some errors. The passcode was indeed incorrect because the module was generating the totp based on the system time. I changed the mods-available/date and set utc=yes and that fixed the problem (that was a misconfiguration on Universal Time vs System Time). I tried to build the rlm_totp (make totp) and got the following errors on undefined references ("fr_hmac_sha1" and "fr_digest_cmp"): rlm_totp.c: In function ‘main’: rlm_totp.c:336:44: warning: format ‘%llu’ expects argument of type ‘long long unsigned int *’, but argument 3 has type ‘uint64_t *’ {aka ‘long unsigned int *’} [-Wformat=] 336 | (void) sscanf(argv[2], "%llu", &now); | ~~~^ ~~~~ | | | | | uint64_t * {aka long unsigned int *} | long long unsigned int * | %lu At top level: rlm_totp.c:50:32: warning: ‘method_env’ defined but not used [-Wunused-const-variable=] 50 | static const call_method_env_t method_env = { | ^~~~~~~~~~ /bin/ld: /tmp/cccE8qoD.o: in function `totp_cmp': /home/mfa/freeradius-server/src/modules/rlm_totp/rlm_totp.c:209: undefined reference to `fr_hmac_sha1' /bin/ld: /home/mfa/freeradius-server/src/modules/rlm_totp/rlm_totp.c:229: undefined reference to `fr_digest_cmp' collect2: error: ld returned 1 exit status make: *** [Makefile:25: totp] Error 1 ------------------------------------------------------------------------------------------ In the last email I was using a standard shared secret just for testing purposes but my TOTP generator creates a 56 characters secret so I am using that and getting this message - “totp: TOTP-Secret cannot be decoded”. I’ve tried smaller secrets and it is always able to decode the secret which made me wonder if you have any restrictions on the secret length? Secret: 3R4VOYWSOR3YWEVRX74HRVXYXLMACQN3A457C24GS2OYG7EINHMBPQZO Base32 encoded: GNJDIVSPLFLVGT2SGNMVORKWKJMDONCIKJLFQWKYJRGUCQ2RJYZUCNBVG5BTENCHKMZE6WKHG5CUSTSIJVBFAUK2J4====== Fri Jun 23 11:42:00 2023 : Info: Ready to process requests Fri Jun 23 11:42:04 2023 : Debug: (2) Received Access-Request Id 192 from 10.56.143.110:59496 to 10.56.143.110:1812 length 73 Fri Jun 23 11:42:04 2023 : Debug: (2) User-Name = "bob" Fri Jun 23 11:42:04 2023 : Debug: (2) User-Password = "testing123123456" Fri Jun 23 11:42:04 2023 : Debug: (2) NAS-IP-Address = 10.56.143.110 Fri Jun 23 11:42:04 2023 : Debug: (2) NAS-Port = 1812 Fri Jun 23 11:42:04 2023 : Debug: (2) Message-Authenticator = 0x7641368bcad58c3250dd31f0e46e76d4 Fri Jun 23 11:42:04 2023 : Debug: (2) session-state: No State attribute Fri Jun 23 11:42:04 2023 : Debug: (2) # Executing section authorize from file /etc/raddb/sites-enabled/default Fri Jun 23 11:42:04 2023 : Debug: (2) authorize { Fri Jun 23 11:42:04 2023 : Debug: (2) modsingle[authorize]: calling files (rlm_files) Fri Jun 23 11:42:04 2023 : Debug: (2) files: users: Matched entry bob at line 1 Fri Jun 23 11:42:04 2023 : Debug: Hello %{User-Name} Fri Jun 23 11:42:04 2023 : Debug: Parsed xlat tree: Fri Jun 23 11:42:04 2023 : Debug: literal --> Hello Fri Jun 23 11:42:04 2023 : Debug: attribute --> User-Name Fri Jun 23 11:42:04 2023 : Debug: literal --> Fri Jun 23 11:42:04 2023 : Debug: (2) files: EXPAND Hello %{User-Name} Fri Jun 23 11:42:04 2023 : Debug: (2) files: --> Hello bob Fri Jun 23 11:42:04 2023 : Debug: (2) modsingle[authorize]: returned from files (rlm_files) Fri Jun 23 11:42:04 2023 : Debug: (2) [files] = ok Fri Jun 23 11:42:04 2023 : Debug: (2) if (User-Password !~ /^(.*)([0-9]{6})$/) { Fri Jun 23 11:42:04 2023 : Debug: (2) if (User-Password !~ /^(.*)([0-9]{6})$/) -> FALSE Fri Jun 23 11:42:04 2023 : Debug: (2) update request { Fri Jun 23 11:42:04 2023 : Debug: (2) EXPAND %{1} Fri Jun 23 11:42:04 2023 : Debug: (2) --> testing123 Fri Jun 23 11:42:04 2023 : Debug: (2) User-Password := testing123 Fri Jun 23 11:42:04 2023 : Debug: (2) Overwriting value "testing123123456" with "testing123" Fri Jun 23 11:42:04 2023 : Debug: (2) EXPAND %{2} Fri Jun 23 11:42:04 2023 : Debug: (2) --> 123456 Fri Jun 23 11:42:04 2023 : Debug: (2) TOTP-Password := 123456 Fri Jun 23 11:42:04 2023 : Debug: (2) } # update request = noop Fri Jun 23 11:42:04 2023 : Debug: (2) if (&User-Name == "bob") { Fri Jun 23 11:42:04 2023 : Debug: (2) if (&User-Name == "bob") -> TRUE Fri Jun 23 11:42:04 2023 : Debug: (2) if (&User-Name == "bob") { Fri Jun 23 11:42:04 2023 : Debug: (2) update control { Fri Jun 23 11:42:04 2023 : Debug: (2) TOTP-Secret := GNJDIVSPLFLVGT2SGNMVORKWKJMDONCIKJLFQWKYJRGUCQ2RJYZUCNBVG5BTENCHKMZE6WKHG5CUSTSIJVBFAUK2J4====== Fri Jun 23 11:42:04 2023 : Debug: (2) } # update control = noop Fri Jun 23 11:42:04 2023 : Debug: (2) } # if (&User-Name == "bob") = noop Fri Jun 23 11:42:04 2023 : Debug: (2) modsingle[authenticate]: calling totp (rlm_totp) Fri Jun 23 11:42:04 2023 : Debug: (2) totp: TOTP-Secret cannot be decoded Fri Jun 23 11:42:04 2023 : Debug: (2) modsingle[authenticate]: returned from totp (rlm_totp) Fri Jun 23 11:42:04 2023 : Debug: (2) [totp.authenticate] = fail Fri Jun 23 11:42:04 2023 : Debug: (2) } # authorize = fail Fri Jun 23 11:42:04 2023 : Debug: (2) Using Post-Auth-Type Reject Fri Jun 23 11:42:04 2023 : Debug: (2) Post-Auth-Type sub-section not found. Ignoring. Fri Jun 23 11:42:04 2023 : Debug: (2) # Executing group from file /etc/raddb/sites-enabled/default Fri Jun 23 11:42:04 2023 : Debug: (2) Delaying response for 1.000000 seconds Fri Jun 23 11:42:04 2023 : Debug: Waking up in 0.3 seconds. Fri Jun 23 11:42:04 2023 : Debug: Waking up in 0.6 seconds. Fri Jun 23 11:42:05 2023 : Debug: (2) Sending delayed response Fri Jun 23 11:42:05 2023 : Debug: (2) Sent Access-Reject Id 192 from 10.56.143.110:1812 to 10.56.143.110:59496 length 32 Fri Jun 23 11:42:05 2023 : Debug: (2) Reply-Message = "Hello bob " Fri Jun 23 11:42:05 2023 : Debug: Waking up in 3.9 seconds. Fri Jun 23 11:42:09 2023 : Debug: (2) Cleaning up request packet ID 192 with timestamp +32 due to cleanup_delay was reached Fri Jun 23 11:42:09 2023 : Info: Ready to process requests Thank you! Best regards, Miguel luis teixeira <luis.carlosteixeira@outlook.com> escreveu no dia sexta, 23/06/2023 à(s) 12:19:
------------------------------ *De:* Freeradius-Users <freeradius-users-bounces+luis.carlosteixeira= hotmail.com@lists.freeradius.org> em nome de Alan DeKok < aland@deployingradius.com> *Enviado:* 20 de junho de 2023 14:50 *Para:* FreeRadius users mailing list < freeradius-users@lists.freeradius.org> *Assunto:* Re: FreeRadius TOTP authenticate fail passcode validation
On Jun 20, 2023, at 5:06 AM, João Miguel Regateiro <jmregateiro@gmail.com> wrote:,
I am working on a TOTP authentication method setup with FreeRadius. For starters I created the user “bob” on raddb/users and defined a password
to
authenticate against the server I have got it to work with just normal user and password but when I try to configure the TOTP module and testing using radiusd -X it shows the totp.authenticate the return fail. I have made sure that the date time is the same UTC +00 on all the environments, and generate the TOTP token with sha-1, 6 digits code and 30seconds time frame. [Generate token in base 32 = JJBFGV2ZGNCFARKIKBFTGUCYKA====== ] and [Generate default token = JBSWY3DPEHPK3PXP ]
If it fails, then the short answer is that the TOTP doesn't match. There isn't really much else which can go wrong.
I've pushed changes to the v3.2.x branch which let you do "radiusd -Xx", and the totp module will now print out the TOTP it expected, and the one it received. You'll have to download and build v3.2.x in order to use it, though.
You can also build a command-line program to test the TOTP. Build the source as normal, and then do:
$ cd src/modules/rlm_totp $ make totp
And then can use the above key:
$ ./totp totp 1687268891 JBSWY3DPEHPK3PXP 601664 Time 1687268891 Expected 601664 Received 601664
or:
$ ./totp totp now JBSWY3DPEHPK3PXP 123456 Time 1687269000 Expected 895298 Received 123456 Fail
My guess is that the TOTP you're giving it is wrong. But increased debug output will let you know exactly what's going on.
Alan DeKok.
- List info/subscribe/unsubscribe? See https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freera... <http://www.freeradius.org/list/users.html>