Regarding providing Custom TOTP MFA in freeradius

Alan DeKok aland at
Tue Apr 2 13:39:49 UTC 2024

On Apr 2, 2024, at 2:06 AM, Dineshkumar pachamuthu <dineshkumar.pachamuthu at> wrote:
> I have recently been working and developing with the freeradius EAP protocol. I need to send access-challenge request with state and Reply-Message "Enter TOTP" inside of inner-tunnel of EAP-TTLS/PAP Protocol which will prompt the user to enter TOTP and send the access request again and will process and authenticate the user for MFA. 
> I have gone through this solution inside the authorize section of  inner-tunnel but the EAP module sends access-reject when doing this change, Please guide me in the proper direction on how to achieve this in our environment.

  There is no mechanism in the EAP-TTLS protocol where you can send an Access-Challenge back to the end user device.  Even if you sent a Reply-Message to it inside of the TTLS tunnel, the end user device would ignore it.

  No EAP-TTLS supplicant supports prompting users with a challenge.

  Alan DeKok.

More information about the Freeradius-Devel mailing list