FreeRadius TOTP authenticate fail passcode validation

João Miguel Regateiro jmregateiro at gmail.com
Tue Jun 20 09:06:33 UTC 2023


Hello,

I am working on a TOTP authentication method setup with FreeRadius. For
starters I created the user “bob” on raddb/users and defined a password to
authenticate against the server
I have got it to work with just normal user and password but when I try to
configure the TOTP module and testing using radiusd -X it shows the
totp.authenticate the return fail. I have made sure that the date time is
the same UTC +00 on all the environments, and generate the TOTP token with
sha-1, 6 digits code and 30seconds time frame. [Generate token in base 32 =
JJBFGV2ZGNCFARKIKBFTGUCYKA====== ] and [Generate default token =
JBSWY3DPEHPK3PXP ]

This is the configuration file for sites-enable/default:

authorize{
        #TOTP Authorize
        if (User-Password !~ /^(.*)([0-9]{6})$/) {
                reject
        }

        update request {
                User-Password := "%{1}"
                TOTP-Password := "%{2}"
        }
        #Example Use BOB
        if (&User-Name == "bob") {
                update control { TOTP-Secret :=
JJBFGV2ZGNCFARKIKBFTGUCYKA====== }
        }
        totp.authenticate
        if (!ok) {
                reject
        }
        pap
}

authenticate {
        Auth-Type PAP {
                pap
        }
}

This is the configuration file of clients.conf :
Client network-device {
        ipaddr          = 192.168.1.0/24
        secret          = testing123
}

Note: I have test to send the TOTP-Secret via update control or update
request, and that gave me different output when call TOTP.authenticate
returns fail or noop .


Radius client test:
radtest -t pap bob password123456 192.168.1.10:1812 1812 testing123

output radiusd -X

Ready to process requests
(0) Received Access-Request Id 38 from 192.168.1.10:48110 to
192.168.1.10:1812 length 73
(0)   User-Name = "bob"
(0)   User-Password = "password"
(0)   NAS-IP-Address = 192.168.1.10
(0)   NAS-Port = 1812
(0)   Message-Authenticator = 0x66c57ad78dea99a37b8edcf8c79ab46d
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
(0) auth_log: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log:    --> /var/log/radius/radacct/
192.168.1.10/auth-detail-20230619
(0) auth_log:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.1.10/auth-detail-20230619
(0) auth_log: EXPAND %t
(0) auth_log:    --> Mon Jun 19 16:05:09 2023
(0)     [auth_log] = ok
(0) files: users: Matched entry bob at line 1
(0) files: EXPAND Hello %{User-Name} THE BUILDER :D
(0) files:    --> Hello bob THE BUILDER :D
(0)     [files] = ok
(0)     if (User-Password !~ /^(.*)([0-9]{6})$/) {
(0)     if (User-Password !~ /^(.*)([0-9]{6})$/)  -> TRUE
(0)     if (User-Password !~ /^(.*)([0-9]{6})$/)  {
(0)       [reject] = reject
(0)     } # if (User-Password !~ /^(.*)([0-9]{6})$/)  = reject
(0)   } # authorize = reject
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> bob
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 38 from 192.168.1.10:1812 to 192.168.1.10:48110
length 47
(0)   Reply-Message = "Hello bob THE BUILDER :D "
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 38 with timestamp +3 due to cleanup_delay
was reached
Ready to process requests

Please let me know if you can help me on this 🙂 Thank you!

Best regards,
Miguel


More information about the Freeradius-Users mailing list