Freeradius second auth factor

Steffen Klemer steffen.klemer at
Mon Dec 30 10:00:42 CET 2019

Am Fr, 20.12.2019 um 18:05 schrieb Anton Kiryushkin <swood at>:

> > > Yes, I can, but you didn't answer the question: does it possible
> > > to run exec and use generated code during the authorisation?  
> >
> >   I did answer the question.  Please pay attention.
> >
> >   You can run the "exec" module anywhere.  Just list it in the
> > "authorize" section.  That's done for ANY module.
> >  
> Yes, again, but I can't trigger it in advance in order to send the OTP
> code. I hoped on a miracle. Merry Christmas!

I don't think that's possible. When you see a packet in FR the ASA
already sent the auth-request so you can't have the just created SMS
TAN in it -- so the first request hast to fail somehow, tell the ASA to
ask again, now hopefully with the correct TAN in the password. I
wouldn't like such a solution :). There should be some outband-way to
request a TAN.

Also your SMS-solution might by easily abused but just sending many
auth-requests to the VPN.


Steffen Klemer                     E-Mail: steffen.klemer at
                                   Tel:    +49 551 201 2170

GWDG - Gesellschaft für wissenschaftliche
Datenverarbeitung mbH Göttingen
Am Faßberg 11, 37077 Göttingen

Tel:    +49 551 201-1523
E-Mail: support at

Tel:    0551 201-1510
Fax:    0551 201-2150
E-Mail: gwdg at
Geschäftsführer:           Prof. Dr. Ramin Yahyapour
Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger
Sitz der Gesellschaft:     Göttingen
Registergericht: Göttingen, Handelsregister-Nr. B 598
Zertifiziert nach ISO 9001
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5915 bytes
Desc: not available
URL: <>

More information about the Freeradius-Users mailing list