[rad] Re: Problem with external authentication script

Ivan Kalik tnt at kalik.net
Mon Jun 15 22:43:16 CEST 2009

> On Mon, 15 Jun 2009, Stefan Kuegler wrote:
>>> >  exec motp {
>>> >        wait = yes
>>> >        program = "/usr/local/bin/otpverify.sh %{User-Name}
>>> >  %{User-Password} %{reply:Secret} %{reply:PIN} %{reply:Offset}"
>>> >        input_pairs = request
>>> >        output_pairs = config
>>> >  }
>> It seems, that freeradius never uses the "MOTP"-Auth-type:
>> auth: type "PAP"
>> +- entering group PAP
> Not an expert on motp. But should it be mistaken for 'PAP'?

It got "mistaken" for pap because user1 line in users file had a crypt
password in it (I don't know what it's doing there - probably shouldn't

> Perhaps
> you need to put your check for 'motp' in the auth section *before* PAP?

Forcing Auth-Type in users file should work.

If you need both pap (password known to the server) and MOTP (password to
be verified by external script) working user entry can be replaced with
unlang statement after pap in authorize (both can't be made to work in

> Or remove the reference to PAP altogether if you never use it....?

The policy of the list is "that you should make minimal changes to default
configuration until you make things work; then remove one by one things
you think you don't need, making sure everything you need still works". In
that way, if you mess up it is easy to backtrack.

Listing motp in authorize before pap is likely to achieve - nothing. There
is nothing to suggest that something called "otpverify" can set Auth-Type
to MOTP. So, better not go that way.

Ivan Kalik
Kalik Informatika ISP

More information about the Freeradius-Users mailing list