Freeradius and 2 Factor Authentication

Aaron Smith Aaron.Smith at
Thu Jun 2 20:52:51 CEST 2016

Doesn't matter how awesome SecureID is if you don't have the budget for it.  :)    I think the issue stems from an initial misunderstanding (on my part) of authentication in Freeradius.  I was thinking that Freeradius would be able to negotiate MSChapv2 and then give the password that the user supplied to a module or perl script to be authenticated by the OTP server.  I was thinking this because if I configure my windows 7 client to create an IKEv2 tunnel using EAP-MSCHAPv2, it will work just fine with Freeradius and a plain old user in the Users file.  I figured "Well, it can see my password to compare it to THAT, so it must HAVe the password".  After further reading, though, I think what it gets after negotiating MSchapv2 is a hashed password, so it snags the password from the users file, hashes THAT and then compares the hashes.  So it has no way of giving the plain text password to anything at all, thus limiting the types of authentication that will work to those that provide plain text passwords to begin with.  

Aaron Smith
System Administrator  
Information Services 
Kalamazoo College
1200 Academy Street, Kalamazoo, MI 49006
(269) 337-7496
 Aaron.Smith at

-----Original Message-----
From: Freeradius-Users [ at] On Behalf Of Arran Cudbard-Bell
Sent: Thursday, June 02, 2016 2:10 PM
To: FreeRadius users mailing list
Subject: Re: Freeradius and 2 Factor Authentication

> On Jun 2, 2016, at 1:26 PM, Aaron Smith <Aaron.Smith at> wrote:
> SecureId is pretty expensive, and it looks like Yubikey is hardware only.

But awesome.

>  Our users prefer a software based token.

Meh.  Honestly, with NFC/USB, using a hardware token is simpler, press the button and it all just works.

> SMSOtp might work, but although MOST of our users prefer software tokens, we do have some that prefer the hardware KT type tokens.

You shouldn't have any issues getting it working with Google authenticator.  The only time you have difficulty is when there needs to be more of a conversation.

>  I've been working on this for a while now, trying a ton of different freeradius permutations and have pretty much decided that it's impossible to use Freeradius

Sounds like a protocol limitation to me.  So more accurately it's not possible to use RADIUS or EAP authentication with the OTP solutions you're trying because they're fundamentally incompatible?


More information about the Freeradius-Users mailing list