2FA token two fields

Alan DeKok aland at deployingradius.com
Mon Feb 7 20:55:12 UTC 2022


On Feb 7, 2022, at 3:33 PM, Adam Barnett <adambarnett52 at gmail.com> wrote:
> I am suoper new to freeradius so sorry if this is a stupid question

  Believe it or not, I was there once, too.  It was about 1997, though. :(

> I have configured it for use for an application that is using username,
> password and a OTP
> 
> The application asks the user for their username and password, and then
> once they have been entered asks for the OTP
> 
> When running freeradus in debug mode i can see that the username is correct
> but the password field has been overwritten with the 2FA token , i am
> unsure what i need to change so this does not get overwriten and its seen
> as two fields...

  There's nothing you can change on FreeRADIUS to fix this.  If the application only sends the OTP and not the password, then no amount of poking FreeRADIUS will fix the application.

  What's typically done is to mash the password together with the OTP.   For an example, see:

https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/sites-available/totp
> 
> (0) Found Auth-Type = pam
> (0) # Executing group from file /etc/raddb/sites-enabled/default
> (0)   authenticate {
> (0) pam: Using pamauth string "radiusd" for pam.conf lookup
> (0) pam: ERROR: pam_authenticate failed: Authentication failure
> (0)     [pam] = reject

  I would suggest not using PAM.  There's really no reason for it.

  The server can read just about any "passwd" file, database, etc.  Just let the server do it's job, and avoid horrible complex things like PAM.

  Plus, if something goes wrong in the PAM layer, it's impossible to debug.  In contrast, the FreeRADIUS debug output is huge, but 99% of the time it contains what you need to fix the problem.

  PAM?  You get "failed".  Why?  "failed".  What do I fix?  "failed"

  Arg.

  Alan DeKok.



More information about the Freeradius-Users mailing list