TOTP authentication with the TOTP module
IT DEB
itdebbw.p at gmail.com
Fri Mar 7 12:40:23 UTC 2025
I am trying a simple TOTP authentication with the TOTP module. The idea is
that the user only has to enter the OTP via Radius and is authenticated.
Freeradius starts but the authentication does not work. See below config
and output.
Thanks itdeb
############################################################################
#clients.conf File
client pc1 {
ipaddr = 192.168.65.161
secret = testing12345
}
#users File
bw TOTP-Secret := "JBSWY3DPEHPK3PXP"
#default File
Auth-Type CHAP {
totp
}
#totp File
totp {
time_step = 30
otp_length = 6
lookback_steps = 1
lookback_interval = 30
}
############################################################################
############################################################################
Ready to process requests
(0) Received Access-Request Id 23 from 192.168.65.161:60716 to
192.168.65.160:1812 length 72
(0) NAS-Identifier = "vncserver"
(0) User-Name = "bw"
(0) CHAP-Password = 0x00549ccaa7d52c08fd1655bce475bdd1d9
(0) Message-Authenticator = 0x30156802c7f5b5504b3d1fdd42943c0b
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) chap: &control:Auth-Type := CHAP
(0) [chap] = ok
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "bw", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry bw at line 1
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = CHAP
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Auth-Type CHAP {
(0) [totp] = noop
(0) } # Auth-Type CHAP = noop
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> bw
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 23 from 192.168.65.160:1812 to
192.168.65.161:60716 length 20
Waking up in 3.9 seconds.
(0) Sending duplicate reply to client pc1 port 60716 - ID: 23
Waking up in 8.9 seconds.
(0) Cleaning up request packet ID 23 with timestamp +34 due to
cleanup_delay was reached
Ready to process requests
############################################################################
More information about the Freeradius-Users
mailing list