FreeRadius 3 and OTP

  • Hello,

    I'm trying to setup OTP authentication with FreeRadius 3 on pfSense 2.4.2. I believe everything is setup correctly but it just NEVER works. I have tried with mOTP and with Google Authenticator, making sure to append the user pin before the OTP when using Google Authenticator - it still doesn't work.

    FreeRadius is configured at least semi-correctly, because it works if I give the user a password, rather than using OTP…

    Every time I attempt a connection, I get "Connection Failed. Username or Password Incorrect" on the connecting device - though of course, they are both correct.

    Looking at the logs, I get this every time (regardless of whether I'm using mOTP or Google Authenticator):

    (18) Login incorrect (mschap: FAILED: No NT/LM-Password. Cannot perform authentication): [username] (from client [whatever] port 0 via TLS tunnel)
    (19) eap_peap: This means you need to read the PREVIOUS messages in the debug output
    (19) eap_peap: to find out the reason why the user was rejected
    (19) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you
    (19) eap_peap: what went wrong, and how to fix the problem
    (19) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [username] (from client [whatever] port 0 cli xx-xx-xx-xx-xx-xx)

    It's as if it doesn't get that I want to use OTP and it's looking for a password and failing because there isn't one. It seems to always think I want to use eap-peap. I don't. And my user is setup for OTP… I have not even touched the EAP page, in FreeRadius, so everything is set to the default values.

    My Radius Authentication server is set to PAP, under System / User Manager / Authentication Servers.

    I'm at a complete loss. Reinstalled pfSense from scratch - no dice, exactly the same issue...

    I'm just wondering if anyone has experienced the same issue or if anyone has some insights that could point me in the right direction (i.e. what/where I should be looking). As far as I know, there is no setting (at least in the pfSense GUI) to disable EAP.

    Any hints would be greatly appreciated. I'll be more than happy to provide logs / screenshots if needed.


  • Just wanted to add that I configured EAP_TLS and EAP_PEAP to test, and they both work flawlessly, so I believe my Radius configuration is valid. It just refuses to work with OTP and keeps trying to authenticate with EAP_PEAP, even though the client is clearly configured for OTP… I'm sure it's me, because I have seen posts of people stating they got it working, I'm just unable to find my mistake. I've googled, duckduckgoed and binged everything I could think of - I still cannot find the answer...

    Again, any hints, tips or suggestions would be much appreciated.


  • Having the same issue.  I really think it's a bug because md5 encrypted password won't work for me either, however plaintext works fine.

    Hopefully someone can chime in with more information.

  • So, I've been able to configure literally all of the EAP types and they ALL work just fine. The only thing not working is mOTP & Google Authenticator. In the logs, I can see that FreeRADIUS is always trying to authenticate the user with the default EAP type. If I change it, mOTP & GA still fail, because RADIUS is looking for the user password and there isn't one because the user is configured for OTP, but the logs are updated and the "fail" messages state that it was trying to authenticate using whatever default EAP type was selected.

    Why is FreeRADIUS hellbent on authenticating with EAP? I doubt it's a bug, because the pfSense folks are much smarter than I am… So I'm happy to admit I've got something misconfigured somewhere but I can't for the life of me figure out what. I've tested OTP with every permutation of EAP settings and nothing works. It's always the same deal: It tries to authenticate using the default EAP type and fails because there is no password in the user password field.

    Would anybody who got it working be willing to share his/her insights? Would be very much appreciated.

    Thanks to anyone who offers to help.


  • Hi there,

    I just registered to comment that I got OTP to work with PAP protocol only.

    Set it up in System > User Manager > Authentication Servers > your FreeRADIUS auth server > Server Settings > Protocol: PAP. Note that MS-CHAPv2 is the default option.

    I hope this helps someone!

Log in to reply