2FA Challenge via Proxy Realm with valid State

Bill Noyce billnoyce75 at gmail.com
Wed Feb 12 16:47:21 CET 2020


I was hoping to follow the clearly written Wiki article:

My problem is that the 2FA Radius Proxy used to verify the OTP requires a
valid State value, so currently the login process is a 3 step process! I
have allowed State in the Pre-Proxy Attributes filter.

So the current flow is:
1) Username/Password request via AD LDAP
2) Unsuccessful OTP request with invalid State value ( returns valid State
value from the remote OTP Radius server )
3) Successful OTP request

Anyone able to suggest how I go about getting a valid State value from the
OTP radius during the first Access-Request so that the
first Access-Challenge response contains this valid State value?


More information about the Freeradius-Users mailing list