freeradius OTP with OATH

Thomas Glanzmann thomas at
Fri Sep 7 18:20:41 CEST 2012

Hello Henk,

> I've looked closely at your video and accomplishment with smsotp,
> congrats!

thank you. However the video shows something that is outdated. I now
wrote a perl module for rlm_perl which does it much better without all
the moving parts.

> Did you also had a look at OATH TOTP instead of SMS authentication?
> This is a RFC ( as you may know. A
> user installs an app on their phone which implements this RFC (e.g.
> Google Authenticator) and it acts as a soft token.

I did and evaluated it together with RADIUS.

> I've got this running with freeradius and the google authenticator PAM
> module. The downside of PAM is the lack of challenge-access and
> response support (AFAIK).

If you want a challenge response integration like the user first needs
to authenticate with username and password and than gets a challenge and
needs to answer with a response that is possible. You could also tweak
it that you leave the first step out.

Just have a look at the rlm_perl implementation in

> Do you know of anything that supports OATH and TOTP natively with
> freeradius and can be used with the access-challenge/response system
> (or am I wrong about PAM not supporting that feature)?

I think there was a module, but I don't recall, maybe ask the FreeRadius
List, or grep in the modules directory. I take it on CC.


More information about the Freeradius-Users mailing list