Hi Alan Thanks. Sorry im absolutely new to freeradius. Now i changed in the config to Auth-Type PAP { totp } and reconfigured the vncserver to use PAP and now I got this error: Ready to process requests (0) Received Access-Request Id 83 from 192.168.65.161:58717 to 192.168.65.160:1812 length 71 (0) NAS-Identifier = "vncserver" (0) User-Name = "bw" (0) User-Password = "302427" (0) Message-Authenticator = 0xa8aeb49defe09e2a13087975576d4754 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "bw", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry bw at line 1 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> bw (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 83 from 192.168.65.160:1812 to 192.168.65.161:58717 length 20 Waking up in 3.9 seconds. (0) Sending duplicate reply to client pc1 port 58717 - ID: 83 Waking up in 8.9 seconds. (0) Cleaning up request packet ID 83 with timestamp +61 due to cleanup_delay was reached Am Fr., 7. März 2025 um 13:55 Uhr schrieb Alan DeKok < aland@deployingradius.com>:
On Mar 7, 2025, at 7:40 AM, IT DEB <itdebbw.p@gmail.com> wrote:
I am trying a simple TOTP authentication with the TOTP module. The idea is that the user only has to enter the OTP via Radius and is authenticated.
Freeradius starts but the authentication does not work. See below config and output.
#clients.conf File
Please don't post configuration files. The documentation makes it VERY clear that this isn't needed.
Ready to process requests (0) Received Access-Request Id 23 from 192.168.65.161:60716 to 192.168.65.160:1812 length 72 (0) NAS-Identifier = "vncserver" (0) User-Name = "bw" (0) CHAP-Password = 0x00549ccaa7d52c08fd1655bce475bdd1d9
You can't use CHAP with TOTP. It has to be used with PAP authentication. i.e. User-Password.
(0) Auth-Type CHAP { (0) [totp] = noop
Yup.
I'll add an error message describing why it doesn't work.
There isn't a lot of point in doing TOTP with CHAP. The TOTP is a one-time password, so "hiding" it inside of CHAP doesn't add any security.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html