SV: EXEC Access-challenge

Thomas Raabo - Zitcom A/S tr at
Thu Oct 11 11:57:11 CEST 2012

Thats seems like a way to go.

But your right... Its very hard to find documentation on this topic.

Changed it and now  

It seems that update check I checket way before th script.

++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing SHA-Password from hex encoding
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
++? if (updated)
? Evaluating (updated) -> FALSE
++? if (updated) -> FALSE
Found Auth-Type = otp
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group otp {...}
[pap] login attempt with password "test2"
[pap] Using SHA1 encryption.
[pap] User authenticated successfully
++[pap] returns ok
[OTP]   expand: %{User-Name} -> test2
[OTP]   expand: %{User-Password} -> test2
[OTP]   expand: %{reply:Secret} -> 891a79d80c9f1cd2
[OTP]   expand: %{reply:Pin} -> 0201
[OTP]   expand: %{reply:Offset} -> 1
Exec-Program output: Reply-Message += "Enter SMS", State += "12536",
Exec-Program-Wait: value-pairs: Reply-Message += "Enter SMS", State += "12536",
Exec-Program: returned: 9
++[OTP] returns updated
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> test2
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 145 to port 56003
        Reply-Message += "Enter SMS"
        State += 0x3132353336
Waking up in 4.9 seconds.
Cleaning up request 0 ID 145 with timestamp +1
Ready to process requests.

Med venlig hilsen | Best regards
Thomas Raabo
Senior Network Engineer CCIE #33466

tr at | Direkte: +45 69 10 60 18 | Tlf.: +45 70 23 55 66

-----Oprindelig meddelelse-----
Fra: at [ at] På vegne af Phil Mayers
Sendt: 11. oktober 2012 10:56
Til: freeradius-users at
Emne: Re: EXEC Access-challenge

On 10/11/2012 09:23 AM, Thomas Raabo - Zitcom A/S wrote:
> I´am trying to create a php OTP script with challenge reponse.
> echo "Reply-Message += \"Enter SMS\",\n";
> echo "State += \"$random\",\n";
> echo "Response-Packet-Type = \"Access-Challenge\",\n";

I think that needs to be a control item, not a reply item, and you can't set reply & control items from an "exec" script at the same time. 
Therefore, I'm not sure you can do that with an exec script alone.

(ignore the non-technical bits, the poster was being... combative)

...and maybe:

I think something like the following might be what you need:

authorize {
   if (updated) {
     update control {
       Response-Packet-Type := Access-Challenge

...and make your "exec" script return "updated" (9)

The server isn't really rigged for scripts/unlang sending Access-Challenge, so this is not a well-explored area. If someone who is using this could write a wiki article detailing the considerations, that would be great. It seems to be a common requirement. I'm guessing the Google "2-step" auth and imitators have rekindled interest in OTP?
List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list