Hi Marthin, it stores in the user's home folder on radius server.
OK. You're doing it differently than I am. I thought perhaps you might be storing the TOTP secret in Active Directory. I have a setup where I store the TOTP secret as a string inside an unused LDAP attribute on our IDM (Red Hat LDAP server) for each user. I built a web page that authenticates each user with their LDAP credentials, and if authenticated, then gives them the option of generating a new random TOTP secret whose equivalent QR code is displayed on the webpage (so they can provision Google Authenticator/Authy/FreeOTP on their phone) and which gets stored inside that unused LDAP attribute. I also have a custom REST web app that performs the authentication of the user with username and password+TOTP via LDAP and is called via FreeRADIUS's rlm_rest. Since you seem that have a much different setup from mine I don't think what I'm doing would help you. -Martin