The pfSense Store

Author Topic: FreeRadius 3 & OTP  (Read 116 times)

0 Members and 1 Guest are viewing this topic.

Offline zxb32

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
FreeRadius 3 & OTP
« on: December 09, 2017, 11:35:35 pm »
Hello,

I'm trying to setup OTP authentication with FreeRadius 3 on pfSense 2.4.2. I believe everything is setup correctly but it just NEVER works. I have tried with mOTP and with Google Authenticator, making sure to append the user pin before the OTP when using Google Authenticator - it still doesn't work.

FreeRadius is configured at least semi-correctly, because it works if I give the user a password, rather than using OTP...

Every time I attempt a connection, I get "Connection Failed. Username or Password Incorrect" on the connecting device - though of course, they are both correct.

Looking at the logs, I get this every time (regardless of whether I'm using mOTP or Google Authenticator):

(18) Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform authentication): [username] (from client [whatever] port 0 via TLS tunnel)
(19) eap_peap: This means you need to read the PREVIOUS messages in the debug output
(19) eap_peap: to find out the reason why the user was rejected
(19) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you
(19) eap_peap: what went wrong, and how to fix the problem
(19) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [username] (from client [whatever] port 0 cli xx-xx-xx-xx-xx-xx)

It's as if it doesn't get that I want to use OTP and it's looking for a password and failing because there isn't one. It seems to always think I want to use eap-peap. I don't. And my user is setup for OTP... I have not even touched the EAP page, in FreeRadius, so everything is set to the default values.

My Radius Authentication server is set to PAP, under System / User Manager / Authentication Servers.

I'm at a complete loss. Reinstalled pfSense from scratch - no dice, exactly the same issue...

Any help would be very much appreciated. I'll be more than happy to provide logs / screenshots if needed.

Cheers

Offline zxb32

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: FreeRadius 3 & OTP
« Reply #1 on: December 10, 2017, 11:00:08 am »
Hello,

I'm just wondering if anyone has experienced the same issue or if anyone has some insights that could point me in the right direction (i.e. what/where I should be looking). As far as I know, there is no setting (at least in the pfSense GUI) to disable EAP.

Any hints would be greatly appreciated.

Cheers