2FA Challenge via Proxy Realm with valid State

Alan DeKok aland at deployingradius.com
Wed Feb 12 19:17:05 CET 2020

On Feb 12, 2020, at 10:47 AM, Bill Noyce <billnoyce75 at gmail.com> wrote:
> I was hoping to follow the clearly written Wiki article:
> https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy


> My problem is that the 2FA Radius Proxy used to verify the OTP requires a
> valid State value, so currently the login process is a 3 step process! I
> have allowed State in the Pre-Proxy Attributes filter.
> So the current flow is:
> 1) Username/Password request via AD LDAP
> 2) Unsuccessful OTP request with invalid State value ( returns valid State
> value from the remote OTP Radius server )

  More correctly *no* State.

  The State is created by the home server, and sent in an Access-Challenge.

> 3) Successful OTP request
> Anyone able to suggest how I go about getting a valid State value from the
> OTP radius during the first Access-Request so that the
> first Access-Challenge response contains this valid State value?

  Proxy the original Access-Request to the OTP radius.  However, doing this involves checking the users password in the "authorize" section:

authorize {
        if (!State) {
                if (&User-Password) {
                        # If !State and User-Password (PAP), then force LDAP:
                        update control {
                                Ldap-UserDN := "%{User-Name}@my-domain.com"

		# run the "authenticate" method of "ldap"
		if (!ok) {
		update control {
			Proxy-To-Realm := "foo"


  Something like that should work.

More information about the Freeradius-Users mailing list