FreeRadius 3 & OTP

  • Hello,

    I'm trying to setup OTP authentication with FreeRadius 3 on pfSense 2.4.2. I believe everything is setup correctly but it just NEVER works. I have tried with mOTP and with Google Authenticator, making sure to append the user pin before the OTP when using Google Authenticator - it still doesn't work.

    FreeRadius is configured at least semi-correctly, because it works if I give the user a password, rather than using OTP…

    Every time I attempt a connection, I get "Connection Failed. Username or Password Incorrect" on the connecting device - though of course, they are both correct.

    Looking at the logs, I get this every time (regardless of whether I'm using mOTP or Google Authenticator):

    (18) Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform authentication): [username] (from client [whatever] port 0 via TLS tunnel)
    (19) eap_peap: This means you need to read the PREVIOUS messages in the debug output
    (19) eap_peap: to find out the reason why the user was rejected
    (19) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you
    (19) eap_peap: what went wrong, and how to fix the problem
    (19) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [username] (from client [whatever] port 0 cli xx-xx-xx-xx-xx-xx)

    It's as if it doesn't get that I want to use OTP and it's looking for a password and failing because there isn't one. It seems to always think I want to use eap-peap. I don't. And my user is setup for OTP… I have not even touched the EAP page, in FreeRadius, so everything is set to the default values.

    My Radius Authentication server is set to PAP, under System / User Manager / Authentication Servers.

    I'm at a complete loss. Reinstalled pfSense from scratch - no dice, exactly the same issue...

    Any help would be very much appreciated. I'll be more than happy to provide logs / screenshots if needed.


  • Hello,

    I'm just wondering if anyone has experienced the same issue or if anyone has some insights that could point me in the right direction (i.e. what/where I should be looking). As far as I know, there is no setting (at least in the pfSense GUI) to disable EAP.

    Any hints would be greatly appreciated.


Log in to reply