Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    RESOLVED: Captive Portal - One Time Password Help

    Scheduled Pinned Locked Moved Captive Portal
    14 Posts 2 Posters 2.1k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      blaine07 @Gertjan
      last edited by

      @Gertjan said in Captive Portal - One Time Password Help:

      Hi,

      Dumping logs on a phone screen ?
      Are you setting also setting up OTP using a phone ?
      Do yourself a favor : don't.

      You'll be needing a classic console (ssh) access first.
      Then, in the GUI? stop FreeRadius.
      In the console, option 8, start FreeRadius with

      radiusd -X
      

      You'll be seeing the entire freeradius logs on you screen in real time.
      The initial "OPT" authentication, and also the re authentication, some 300 seconds (default) after that.

      @Gertjan I think I did this right? It's weird because you can see it being authed but then on renew key or something not found. No idea If I'm getting these posted right... if I didnt please let me know.

      No idea wtheck I'm doing wrong but for life of me cant figure out how to post snippet of code.

      Never the less...

      radius -X

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG Offline
        Gertjan @blaine07
        last edited by

        @blaine07 said in Captive Portal - One Time Password Help:

        No idea wtheck I'm doing wrong but for life of me cant figure out how to post snippet of code.

        Consider piping output of
        radiusd -X
        to a file - pr make Putty remember the last 10 thousand lines and copy these ^^

        Big logs don't belong on the forum anyway - and will get refused. That issue was solved in the late nineties, when pastebin.com (and com parables) came alive.

        The issue is shown clearly (I guess) :

        80612d8c-30ab-44d6-bbd1-6a0599d6a38a-image.png

        although it might be worth it to check what this means :

        163faa78-193d-4311-a83a-a8bbeec450f7-image.png

        Btw : I'm not an Google OTP user ...

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        B 1 Reply Last reply Reply Quote 0
        • B Offline
          blaine07 @Gertjan
          last edited by

          @Gertjan yeah I just wasnt sure if pastebin was preferred here or not; thank you!

          Yeah I seen the same as you just dont understand why device is initially authenticated then later cant be re-uathenticated. I've googled the last few lines you said to look into until I'm blue in face and turned up nothing useful other than basic make sure time is synced etc stuff ๐Ÿ˜ฅ

          1 Reply Last reply Reply Quote 0
          • GertjanG Offline
            Gertjan
            last edited by

            Found this https://forum.netgate.com/topic/135424/solved-two-factor-authentication-for-admin-login

            There is also a official video talking about Google OTP, you'll find it in the same thread.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            B 2 Replies Last reply Reply Quote 0
            • B Offline
              blaine07 @Gertjan
              last edited by

              @Gertjan

              Will watch slide video shortly found in linked thread.

              Seems most of the talk about OTP is in relation to VPN or PFSense admin page. Is it THAT different to integrate OTP into the Captive Portal versus the other two? I mean this doesnโ€™t seem terribly difficult so not entirely sure whatโ€™s going wrong versus if I was using OTP to authenticate a VPN user. ๐Ÿค”๐Ÿคฆ๐Ÿผโ€โ™‚๏ธ

              1 Reply Last reply Reply Quote 0
              • B Offline
                blaine07 @Gertjan
                last edited by

                @Gertjan said in Captive Portal - One Time Password Help:

                Found this https://forum.netgate.com/topic/135424/solved-two-factor-authentication-for-admin-login

                There is also a official video talking about Google OTP, you'll find it in the same thread.

                Alright watched that hangout and skimmed through thread. Didnt lead me to any new conclusions. Tried a few new things and no progress so far :-( Maybe OTP just isnt meant to be used with CP ๐Ÿคท๐Ÿผโ€โ™‚๏ธ

                1 Reply Last reply Reply Quote 0
                • B Offline
                  blaine07
                  last edited by

                  I realized this is VPN but I suspect it may be related. A command, reneg-sec, as what they describe is pretty much identical to my problem. Get connected but cant stay.

                  What's equivalent of "reneg-sec" for captive portal?

                  The exert: One more thing: OpenVPN renegotiates the authentication every 3600 seconds. But a Google Authenticator code is only valid for 30 seconds. So then renegotiation will fail and you will be disconnected and asked to re-enter your password (your PIN + your current Google Authenticator code). Thatโ€™s ok and it works but you may want to change that behaviour.

                  The relevant setting is reneg-sec and you must set it to the number of seconds after which you want the negotionation to occur. 3600 is the default but you could set it to a higher value like a day. Use 0 to disable it altogether. Here Iโ€™m using 0; use however many you like.

                  Found here(towards bottom of guide): https://vorkbaard.nl/how-to-set-up-openvpn-with-google-authenticator-on-pfsense/

                  1 Reply Last reply Reply Quote 0
                  • GertjanG Offline
                    Gertjan
                    last edited by

                    Also : remember I was talking about the "pap" error ?

                    Check out the video at the end, jimp is also talking about this "pap".

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    B 1 Reply Last reply Reply Quote 1
                    • B Offline
                      blaine07 @Gertjan
                      last edited by blaine07

                      @Gertjan said in Captive Portal - One Time Password Help:

                      Also : remember I was talking about the "pap" error ?

                      Check out the video at the end, jimp is also talking about this "pap".

                      Yes its type is set to PAP. :-(

                      Any other ideas? ๐Ÿ˜ฌ๐Ÿ˜ฅ

                      1 Reply Last reply Reply Quote 0
                      • B Offline
                        blaine07
                        last edited by blaine07

                        HERE

                        So, turned this off/unchecked(in pfSense Captive Portal Settings) and so far it seems to have fixed everything. In captive portal I have a 45min timeout set and a 60min hard timeout set. With this every minute check disabled after 60min will it still toss the OTP users off as it would before, when it was checking every minute? ๐Ÿ˜• What exactly is turning this toggle off going to do or what else will it effect?

                        Thanks!

                        1 Reply Last reply Reply Quote 0
                        • B Offline
                          blaine07
                          last edited by

                          Alright used it for a hour. Turning that check box, Reauthenticate Users, under Captive Portal Configuration OFF appears to have no other adverse effects. Idle timeout and hard timeout, again on Captive Portal Configuration page, are respected still as well.

                          So I guess the moral is, anyone looking to utilize OTP with Captive Portal...make sure above mentioned box IS UNCHECKED(toggled off). :-)

                          Thank you for all the help and tips @Gertjan; I appreciate your time. ๐Ÿ™‚

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.