On Jun 20, 2023, at 5:06 AM, João Miguel Regateiro <jmregateiro@gmail.com> wrote:,
I am working on a TOTP authentication method setup with FreeRadius. For starters I created the user “bob” on raddb/users and defined a password to authenticate against the server I have got it to work with just normal user and password but when I try to configure the TOTP module and testing using radiusd -X it shows the totp.authenticate the return fail. I have made sure that the date time is the same UTC +00 on all the environments, and generate the TOTP token with sha-1, 6 digits code and 30seconds time frame. [Generate token in base 32 = JJBFGV2ZGNCFARKIKBFTGUCYKA====== ] and [Generate default token = JBSWY3DPEHPK3PXP ]
If it fails, then the short answer is that the TOTP doesn't match. There isn't really much else which can go wrong. I've pushed changes to the v3.2.x branch which let you do "radiusd -Xx", and the totp module will now print out the TOTP it expected, and the one it received. You'll have to download and build v3.2.x in order to use it, though. You can also build a command-line program to test the TOTP. Build the source as normal, and then do: $ cd src/modules/rlm_totp $ make totp And then can use the above key: $ ./totp totp 1687268891 JBSWY3DPEHPK3PXP 601664 Time 1687268891 Expected 601664 Received 601664 or: $ ./totp totp now JBSWY3DPEHPK3PXP 123456 Time 1687269000 Expected 895298 Received 123456 Fail My guess is that the TOTP you're giving it is wrong. But increased debug output will let you know exactly what's going on. Alan DeKok.