Cache One Time Password OTP

Gardner, Mark mark.gardner at
Wed Feb 25 22:45:17 CET 2015

On Feb 25, 2015, at 2:54 PM, Gardner, Mark <mark.gardner at> wrote:
>> Has anyone had success in getting free radius to cache a HOTP so it works like a TOTP.

> What does that mean?

I'm speaking in reference to One Time Passwords (OTPs) that are simply appended to the end of a user's regular password, as a form of "Two Factor Authentication" (2FA)
This appending style OTP has the advantage of not needing  client modifications to take advantage of the second factor, users simply login with their username and password appending the OTP to the end of their password.   (as opposed to the client asking for their username and password, and additionally challenging them to provide the One Time Password. )

I'm using a Yubikey configured in "Hashed One Time Password" ( HOTP ) mode. The token uses only the secret and an incrementing counter to generate the OTP.  This Hashed One Time Password is then appended to the users password and sent to the authentication service to be validated.  In my case, an LDAP server configured to authenticate this OTP. 
These HTOP passwords are truly only good for one valid authentication.  The authentication server's counter is incremented after a successful login. 
Typically a "TIME One Time Password" (TOTP) , uses a time component (and sometimes a counter) to generate the OTP.    
Some of these types of OTP generators use OTPs  that are good for small windows of time; from 30 seconds up to several minutes or longer.   
Many implementations of TOTP allow a password/token pair to be used several times in quick succession without needing a new OTP.    

>> The problem I have is a ThinLinc authentication were our LDAP is configured for a HOTP, and ThinLink requires the OTP to be used twice in quick succession across the distributed architecture (once to master once to client)

The ThinLinc documentation ( states in its requirements.  

An OTP server which accepts the OTP twice. This is due to the ThinLinc architecture: The client first contacts the master machine, and then the agent host. The NordicEdge One Time Password Server has built-in support for ThinLinc. When using RSA SecurID, we recommend using the Steel-Belted Radius server as a "Token Caching Server".

I don't want to setup Steel-Belted Radius, or RADIATOR.  I'd rather use freeradius.   I found something in the archives that I belive is exactly what I need.  I'm just not sure how to go about setting it up.

It may be my version of freeradius is too old to use this particular type of caching.  I'm using  freeradius-server  2.1.1-7.18.1  SLES11-SP3

Hopefully This clears things up a little. 

More information about the Freeradius-Users mailing list