Freeradius with Windbind and Google authenticator issues with Cisco Anyconnect VPN

Matthew Newton mcn4 at
Fri Sep 23 16:23:32 CEST 2016

On Fri, Sep 23, 2016 at 09:03:50AM -0400, Alan DeKok wrote:
> On Sep 22, 2016, at 4:03 PM, Nawaz Hosany <mnhosany at> wrote:
> > Wed Aug 24 15:43:43 2016 : Debug: pam_pass: using pamauth string <radiusd>
> > for pam.conf lookup
> > Wed Aug 24 15:43:44 2016 : Debug: pam_pass: function pam_authenticate
> > FAILED for <testuser>. Reason: Cannot make/remove an entry for the
> > specified session
>   FreeRADIUS has native winbind support in recent versions.  I
>   think it's relatively simple to add google authenticator
>   support.  There's even Perl code:

Agreed. I'd start on this by splitting the password out into
password/code in FreeRADIUS, then just checking both. You can use
ntlm_auth in up to version 3.0, and rlm_winbind if you want to try
it in v3.1.

Then it's just a matter of also checking the GA code is correct,
maybe with that Perl code.

Avoids using PAM entirely. Which is a good thing.

>   If anyone has time, it shouldn't be hard to write some C code
>   to implement the google authenticator algorithm,.  We could
>   then add it as a native module to the server.

I like all the parts of that apart from the "has time..." bit :(
Doubt it would be a hard module to write, though.


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list