Freeradius 2.x and 3.x OTP - User Time Offset and OTP Lifetime have no impact



  • Hi,

    Hardware: Alix
    PFsense: 2.4.4-p3
    Freeradius: 2.x and 3 - 0.15.7_10

    What i want
    I use the freeradius with google OTP for OVPN auth. It works like a charm. The problem is, some users need a hardware token generator because of lack of a cellphone. These things will never have the time 100% in sync, so i need the offset to correct that. But it feels like it is not working at all.

    Problem
    It feels like the offset is not working at all.
    The OTP code is only valid within the first 15 sec. But it is a SHA1 with 30 sec. timespawn.

    I tried
    First i tried to use the "Time Offset" value under the right user. The GUI told me i cant use a value that would match the 30 sec. offset. My otp card is excactly one otp code behind my cellphone. I change the value manually with the "edit file" tool. It changed nothing on the behavor. The otp worked in the exact same time frame as before. Then i set the offset to 3600. My expectation was, that the otp code would not valid anymore. But it was accepted like before within the first 15 sec.
    Second aproach was to change the general accept timeframe for all OTP codes. I changed that value from 2 (means 20 sec.) to the maximum 12 (2 min.). I would have expected that i now would be able to use the otp code even after it is new created 2 times. But it changed nothing. Reboots after any change didnt help.

    I stumbled over this thread -> https://forum.netgate.com/topic/39727/new-package-freeradius-2-x/552 but it seems like all the changes have been adapted to the release version.

    Can anyone help?


Log in to reply