TOTP authentication with the TOTP module

Alan DeKok aland at deployingradius.com
Fri Mar 7 12:51:12 UTC 2025


On Mar 7, 2025, at 7:40 AM, IT DEB <itdebbw.p at gmail.com> wrote:
> I am trying a simple TOTP authentication with the TOTP module. The idea is
> that the user only has to enter the OTP via Radius and is authenticated.
> 
> Freeradius starts but the authentication does not work. See below config
> and output.
> 

> #clients.conf File

  Please don't post configuration files.  The documentation makes it VERY clear that this isn't needed.

> Ready to process requests
> (0) Received Access-Request Id 23 from 192.168.65.161:60716 to
> 192.168.65.160:1812 length 72
> (0)   NAS-Identifier = "vncserver"
> (0)   User-Name = "bw"
> (0)   CHAP-Password = 0x00549ccaa7d52c08fd1655bce475bdd1d9

  You can't use CHAP with TOTP.  It has to be used with PAP authentication.  i.e. User-Password.

> (0)   Auth-Type CHAP {
> (0)     [totp] = noop

  Yup.

  I'll add an error message describing why it doesn't work.

  There isn't a lot of point in doing TOTP with CHAP.  The TOTP is a one-time password, so "hiding" it inside of CHAP doesn't add any security.

  Alan DeKok.



More information about the Freeradius-Users mailing list