FreeRadius 3 & OTP
I'm trying to setup OTP authentication with FreeRadius 3 on pfSense 2.4.2. I believe everything is setup correctly but it just NEVER works. I have tried with mOTP and with Google Authenticator, making sure to append the user pin before the OTP when using Google Authenticator - it still doesn't work.
FreeRadius is configured at least semi-correctly, because it works if I give the user a password, rather than using OTP…
Every time I attempt a connection, I get "Connection Failed. Username or Password Incorrect" on the connecting device - though of course, they are both correct.
Looking at the logs, I get this every time (regardless of whether I'm using mOTP or Google Authenticator):
(18) Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform authentication): [username] (from client [whatever] port 0 via TLS tunnel)
(19) eap_peap: This means you need to read the PREVIOUS messages in the debug output
(19) eap_peap: to find out the reason why the user was rejected
(19) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you
(19) eap_peap: what went wrong, and how to fix the problem
(19) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [username] (from client [whatever] port 0 cli xx-xx-xx-xx-xx-xx)
It's as if it doesn't get that I want to use OTP and it's looking for a password and failing because there isn't one. It seems to always think I want to use eap-peap. I don't. And my user is setup for OTP… I have not even touched the EAP page, in FreeRadius, so everything is set to the default values.
My Radius Authentication server is set to PAP, under System / User Manager / Authentication Servers.
I'm at a complete loss. Reinstalled pfSense from scratch - no dice, exactly the same issue...
Any help would be very much appreciated. I'll be more than happy to provide logs / screenshots if needed.
I'm just wondering if anyone has experienced the same issue or if anyone has some insights that could point me in the right direction (i.e. what/where I should be looking). As far as I know, there is no setting (at least in the pfSense GUI) to disable EAP.
Any hints would be greatly appreciated.