Freeradius with Windbind and Google authenticator issues with Cisco Anyconnect VPN

Alan DeKok aland at
Fri Sep 23 15:03:50 CEST 2016

On Sep 22, 2016, at 4:03 PM, Nawaz Hosany <mnhosany at> wrote:
> Hi Guys
> I am trying to configure Google Authenticator to work with Windbind for VPN
> using Cisco Anyconnect on Ubuntu . Windbind works fine without Google
> Authenticator., but combined it does not work.
> I would need some help from the community. Here below are my configs and
> debugs/errors i am seeing:
> # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS

  Hmm... using PAM isn't recommended.  PAM is generally intended for applications which authenticate a user once.  We've seen issues in the past with memory leaks and performance problems.
> Wed Aug 24 15:43:43 2016 : Debug: pam_pass: using pamauth string <radiusd>
> for pam.conf lookup
> Wed Aug 24 15:43:44 2016 : Debug: pam_pass: function pam_authenticate
> FAILED for <testuser>. Reason: Cannot make/remove an entry for the
> specified session

  Well, that's a PAM issue.  You should ask the PAM people why their software doesn't work.

  FreeRADIUS has native winbind support in recent versions.  I think it's relatively simple to add google authenticator support.  There's even Perl code:

  TBH, we've had bad luck with third-party "authentication" systems.  They are buggy, opaque, and produce either no debug messages, or entirely useless debug messages.  In contrast, FreeRADIUS works, it's stable, and it tells you exactly what it's doing and why.

  If anyone has time, it shouldn't be hard to write some C code to implement the google authenticator algorithm,.  We could then add it as a native module to the server.

  Alan DeKok.

More information about the Freeradius-Users mailing list