Hi Now tested with version 3.2.7. Also not working.... Ready to process requests !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! BlastRADIUS check: Received packet with Message-Authenticator. Setting "require_message_authenticator = true" for client pc1 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! It looks like the client has been updated to protect from the BlastRADIUS attack. Please set "require_message_authenticator = true" for client pc1 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! (0) Received Access-Request Id 162 from 192.168.65.161:56966 to 192.168.65.160:1812 length 71 (0) NAS-Identifier = "vncserver" (0) User-Name = "bw" (0) User-Password = "383716" (0) Message-Authenticator = 0xb5dd014235fda329b187b71671751094 (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) update control { (0) Auth-Type := TOTP (0) } # update control = noop (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = noop (0) } # policy filter_username = noop (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "bw", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry bw at line 1 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop Not doing PAP as Auth-Type is already set. (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = TOTP (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Auth-Type TOTP { (0) [totp] = noop (0) } # Auth-Type TOTP = noop (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> bw (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 162 from 192.168.65.160:1812 to 192.168.65.161:56966 length 38 Waking up in 3.9 seconds. (0) Sending duplicate reply to client pc1 port 56966 - ID: 162 Waking up in 8.9 seconds. (0) Cleaning up request packet ID 162 with timestamp +20 due to cleanup_delay was reached Ready to process requests Thanks, deb Am Mo., 17. März 2025 um 03:50 Uhr schrieb Alan DeKok < aland@deployingradius.com>:
On Mar 14, 2025, at 7:50 PM, IT DEB <itdebbw.p@gmail.com> wrote:
The TOTP Key is configured in the user file. Its differently for every single user.
bw TOTP-Secret := "JBSWY3DPEHPK3PXP"
I read the documentation several times but i am stucking...
It should work. Perhaps use 3.2.7, as it prints out more messages in debug mode.
i.e. if it returns "noop", it will also print a message explaining what is wrong, and what you need to do in order to fix it.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html