Freeradius and 2 Factor Authentication

Peter Lambrechtsen peter at
Fri Jun 3 03:40:12 CEST 2016

On Fri, Jun 3, 2016 at 11:28 AM, Arran Cudbard-Bell <
a.cudbardb at> wrote:

> > On Jun 2, 2016, at 6:22 PM, Peter Lambrechtsen <peter at> wrote:
> >
> > I've been looking at the TOTP open standard and there is a perl script
> > written for FreeRadius.
> I looked at one point, and figured out you could implement it in unlang
> policies without too much trouble :)
> I really don't understand that whole fascination people have with OTP
> though.  I think it's a cruel and unusual punishment to force on users
> (unless it's Yubikey, which is lovely).

While I agree with you philosophically on OTP in general being a bit of a
painful experience. And plugging a Yubikey into a USB Port hitting a button
and getting a bit long string makes for a pleasant end user experience. I
do see there are multiple sites now support TOTP where the enrollment is
seamless for end-users. Login to a web site, use Google Authenticator or
Authy or any other myriad of TOTP clients to scan the QR code. The
enrollment experience is awesome when you're armed with your smart phone
using a browser on a desktop and consistent across multiple sites / cloud
providers as everyone is doing TOTP multi-factor authentication. If you go
into the Yubikey world, even though it's awesome you are still locked into
that vendor.

The pain is when using the OTP when logging in, granted it's not much fun
on a phone if you are logging into a site and you need to copy & paste
inside the time limit from the TOTP client into the phone browser. When
they are different devices it's pretty simple. The Fortinet FortiToken-200
is a pretty good build quality physical token yet it still conforms to the
RFC6238 / OATH standard.

I really like this site as it's super easy to
implement a full client side browser based enrollment process all in a
single dumb html page.

Preaching to the choir here. But I am a big advocate for the open standard
RFC compliant token solution rather than locking you into any particular
vendor. Some people say Open Standards gives you the ultimate flexibility.

This blog entry:

Covers how to do it all using Perl. It's a little dodgy since they use perl
to query ldap to get the hash which seems a very complex way to go about it
IMHO. Was thinking an rlm_totp would be awesome. Pull out the TOTP hex
string key from the database of your choice during Authorize putting it
into a control VSA and then during Authenticate make sure it matches up
with an option in the module config to support how many cycles + / - the
current time to support.
I'm sure you will say patches welcome :), which is something I plan to do
once one other things is off my plate.

More information about the Freeradius-Users mailing list