Freeradius 3.X with motp module

Alan DeKok aland at
Thu Jul 1 18:43:51 CEST 2021

On Jul 1, 2021, at 11:10 AM, Jonathan C <raidenc at> wrote:
> It seems the 3.X version of freeradius doesn't know the output "ACCEPT" of
> the script but I'm not sure and I don't know what i'm supposed
> to do to make it work like it's supposed to do.

  See raddb/mods-available/exec and raddb/mods-available/echo for documentation on the exec scripts.

  In short, you can't just return random strings and have the server do magic things with the string.

> Below the full output of debug :
> FreeRADIUS Version 3.0.17

  You should upgrade to the latest version.  See

>>  # Loading module "motp" from file /etc/freeradius/3.0/radiusd.conf
>>  exec motp {
>>        wait = yes
>>        program = "/usr/sbin/ %{User-Name} %{User-Password}
>> %{reply:Secret} %{reply:PIN} %{reply:Offset}"
>>        input_pairs = "request"
>>        output_pairs = "reply"
>>        shell_escape = yes
>>  }

  Read the documentation.  You've configured the module to read the output of the program, and expect to parse attributes.  Then, those attributes are placed into the reply.

  You should probably also not put passwords onto the command-line.  Other users on the same system may be able to read them.
>> ...
>> (0) motp: ERROR: Failed parsing output from: /usr/sbin/
>> %{User-Name} %{User-Password} %{reply:Secret} %{reply:PIN} %{reply:Offset}:
>> Expecting operator

  Exactly.  It expects to read something like

	Framed-IP-Address :=

>> (0) motp: ERROR: Program returned code (0) and output 'ACCEPT'

  That's not an attribute, and it doesn't have an operator, and doesn't have a value.

  This never worked in v2, either.  See modules/echo in v2.  The documentation there is essentially the same as for v3.

  If you want the script to cause authentication to succeed or fail, then read the documentation, and have the script return an appropriate return code.

  Alan DeKok.

More information about the Freeradius-Users mailing list