Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Freeradius + totp time drift

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 2 Posters 762 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      Luca De Andreis
      last edited by

      Hello everyone !

      We use a fair number of PfSense plus, some of which deal with the authenticated VPN head function with radius.
      Freeradius + TOTP (Google Authenticator).

      Everything works perfectly with authentication via app. Google Authenticator or similar, the problem occurs with physical TOTP dongles.

      It seems that automatic time drift (validity window) and self-centering of the drift is not supported and this generates huge problems when a physical dongle becomes de-aligned (ok you can specify a manual drift, but do it for 1000 users...).

      Do you know if there are only solutions ? Ok... implement an external radius with all the relevant functionality and have pfsense point to that.

      Many thanks

      Luca

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Hmm, I'm not aware of anything like that for Freeradius in pfSense. You may need to use an external radius server that supports it.

        Just to be clear you are using devices that show the OTP code to users who then enter it manually in the same way Google Authenticator would? Not a device the connects physically to authenticate?

        Steve

        L 1 Reply Last reply Reply Quote 0
        • L
          Luca De Andreis @stephenw10
          last edited by

          @stephenw10

          exactly Steve, devices that display a numeric code that the user enters manually together with his PIN.

          A curiosity, the development and implementation of Freeradius3 + plugin, in PfSense is not handled directly by Netgate, is it? We will also be willing to pay a fee for the implementation of a function like this that solves the problem for a thousand users.

          Luca

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            It is maintained mostly by Netgate. Others have contributed.

            If the Freeradius project has features to support this already it may be easy enough to add to the pfSense package. However I'm not seeing anything in my initial search....

            L 1 Reply Last reply Reply Quote 0
            • L
              Luca De Andreis @stephenw10
              last edited by

              @stephenw10

              freeradius does not natively support TOTP. Indirectly it can be supported, for example in Debian I use freeradius together with libpam-oath and oathtool (for example), where I can specify a "self-centering" tolerance window, meaning that after authentication the system knows the time offset of the client and centers it in the its window of "tolerance"
              The fact is that if you don't use systems of this type it is almost impossible to use hardware tokens.

              Luca

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.