TOTP authentication with the TOTP module
Alan DeKok
aland at deployingradius.com
Fri Mar 7 12:51:12 UTC 2025
On Mar 7, 2025, at 7:40 AM, IT DEB <itdebbw.p at gmail.com> wrote:
> I am trying a simple TOTP authentication with the TOTP module. The idea is
> that the user only has to enter the OTP via Radius and is authenticated.
>
> Freeradius starts but the authentication does not work. See below config
> and output.
>
> #clients.conf File
Please don't post configuration files. The documentation makes it VERY clear that this isn't needed.
> Ready to process requests
> (0) Received Access-Request Id 23 from 192.168.65.161:60716 to
> 192.168.65.160:1812 length 72
> (0) NAS-Identifier = "vncserver"
> (0) User-Name = "bw"
> (0) CHAP-Password = 0x00549ccaa7d52c08fd1655bce475bdd1d9
You can't use CHAP with TOTP. It has to be used with PAP authentication. i.e. User-Password.
> (0) Auth-Type CHAP {
> (0) [totp] = noop
Yup.
I'll add an error message describing why it doesn't work.
There isn't a lot of point in doing TOTP with CHAP. The TOTP is a one-time password, so "hiding" it inside of CHAP doesn't add any security.
Alan DeKok.
More information about the Freeradius-Users
mailing list