Freeradius second auth factor

Anton Kiryushkin swood at
Fri Dec 20 14:48:13 CET 2019

Hi Alan.

Nice to get an answer from you.
The First factor is password stored in DB.
Second is SMS.

No, it is not for wifi; it is for VPN. As far as I understand, Cisco ASA
sends the request to the radius with the final data: login, password,
OTP-code. The only possible way to auth with the OTP is to generate it via
phone application like Google Authenticator.
My question is, does it possible to send an SMS instead of using the
Again, I don't ask the ready solution. I try to figure out the process at
this point.

пт, 20 дек. 2019 г. в 13:40, Alan DeKok <aland at>:

> On Dec 20, 2019, at 6:53 AM, Anton Kiryushkin <swood at> wrote:
> >
> > I want to configure the second authorisation factor with EAP-type, and
> md5
> > hashed password saved in MySQL.
> > I found several modules and services like MultiOTP and Smsotp, but I
> can't
> > understand how to provide the SMS before the authorisation or how to ask
> > FreeRadius to wait for the process sends SMS?
>   You need to configure a module to send the SMS.  How that works depends
> on how the SMS is sent.  And only you know that.
> > Could you please explain this to me?
>   What kind of 2 factor auth do you want to do?
>   To be honest, the only thing that's going to work is TTLS + PAP.  Since
> passwords are stored in MD5 format in the DB, nothing else will work.
>   But... if this is for WiFi, users will be *very* unhappy if they have to
> enter a new OTP every time they switch access points.  That's just not
> going to work.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

Best regards,
Anton Kiryushkin

More information about the Freeradius-Users mailing list