You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am currently setting up a FreeRadius (version 3.0) server with LinOTP (version 3.2.3) as an OTP module.
According to the documentation, setting up a policy with the action "otppin=password" uses a combination of the userpassord and his/her personal OTP-pin value to authenticate (https://www.linotp.org/doc/latest/part-management/policy/authentication.html):
1 or password: In addition to the OTP value the user must enter the password from his user database, e.g. his LDAP or Active Directory password (in case of LDAPUserIdResolver) or his password in the Passwd-File or in the SQL Database (UserPW+OTP). So the authentication will be successful with: USERPASSWORDOTP
Practical example: The user t_testme with the password t_testme tries to authenticate with the OTP pin 123456 on the FreeRadius server. So according to the documentation, he would type in the password field t_testme123456.
However, the authentication fails and I get a sad smiley face in the logfile:
Sent Access-Request Id 113 from 0.0.0.0:42587 to 127.0.0.1:1812 length 78
User-Name = "t_testme"
User-Password = "t_testme051943"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "t_testme051943"
Received Access-Reject Id 113 from 127.0.0.1:1812 to 127.0.0.1:42587 length 50
Reply-Message = "LinOTP server denied access!"
(0) -: Expected Access-Accept got Access-Reject
After a bit of testing and playing around, I tried the password + OTP combination the other way around, like this:
OTP + password, i.e. "008933t_testme". This surprisingly worked:
Sent Access-Request Id 6 from 0.0.0.0:45685 to 127.0.0.1:1812 length 78
User-Name = "t_testme"
User-Password = "008933t_testme"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "008933t_testme"
Received Access-Accept Id 6 from 127.0.0.1:1812 to 127.0.0.1:45685 length 43
Reply-Message = "LinOTP access granted"
My question is, is this the correct behaviour of LinOTP? If yes, could you please change the above mentioned documentation?
If not, did I configure something wrong?
The text was updated successfully, but these errors were encountered:
Hi guys,
I am currently setting up a FreeRadius (version 3.0) server with LinOTP (version 3.2.3) as an OTP module.
According to the documentation, setting up a policy with the action "otppin=password" uses a combination of the userpassord and his/her personal OTP-pin value to authenticate (https://www.linotp.org/doc/latest/part-management/policy/authentication.html):
1 or password: In addition to the OTP value the user must enter the password from his user database, e.g. his LDAP or Active Directory password (in case of LDAPUserIdResolver) or his password in the Passwd-File or in the SQL Database (UserPW+OTP). So the authentication will be successful with: USERPASSWORDOTP
Practical example: The user t_testme with the password t_testme tries to authenticate with the OTP pin 123456 on the FreeRadius server. So according to the documentation, he would type in the password field t_testme123456.
However, the authentication fails and I get a sad smiley face in the logfile:
After a bit of testing and playing around, I tried the password + OTP combination the other way around, like this:
OTP + password, i.e. "008933t_testme". This surprisingly worked:
My question is, is this the correct behaviour of LinOTP? If yes, could you please change the above mentioned documentation?
If not, did I configure something wrong?
The text was updated successfully, but these errors were encountered: