FreeRadius TOTP authenticate fail passcode validation
Alan DeKok
aland at deployingradius.com
Tue Jun 20 13:50:35 UTC 2023
On Jun 20, 2023, at 5:06 AM, João Miguel Regateiro <jmregateiro at gmail.com> wrote:,
>
>
> I am working on a TOTP authentication method setup with FreeRadius. For
> starters I created the user “bob” on raddb/users and defined a password to
> authenticate against the server
> I have got it to work with just normal user and password but when I try to
> configure the TOTP module and testing using radiusd -X it shows the
> totp.authenticate the return fail. I have made sure that the date time is
> the same UTC +00 on all the environments, and generate the TOTP token with
> sha-1, 6 digits code and 30seconds time frame. [Generate token in base 32 =
> JJBFGV2ZGNCFARKIKBFTGUCYKA====== ] and [Generate default token =
> JBSWY3DPEHPK3PXP ]
If it fails, then the short answer is that the TOTP doesn't match. There isn't really much else which can go wrong.
I've pushed changes to the v3.2.x branch which let you do "radiusd -Xx", and the totp module will now print out the TOTP it expected, and the one it received. You'll have to download and build v3.2.x in order to use it, though.
You can also build a command-line program to test the TOTP. Build the source as normal, and then do:
$ cd src/modules/rlm_totp
$ make totp
And then can use the above key:
$ ./totp totp 1687268891 JBSWY3DPEHPK3PXP 601664
Time 1687268891
Expected 601664
Received 601664
or:
$ ./totp totp now JBSWY3DPEHPK3PXP 123456
Time 1687269000
Expected 895298
Received 123456
Fail
My guess is that the TOTP you're giving it is wrong. But increased debug output will let you know exactly what's going on.
Alan DeKok.
More information about the Freeradius-Users
mailing list