AW: Re: RADIUS integration question

Hi Mark,
You need to define a policy.
Where and how did you search?Maybe we can improve the docs.
Kind regards Cornelius
Cornelius Kölbel +49 151 2960 1417
NetKnights GmbHHttp://NetKnights. It
+49 561 3166 797-------- Ursprüngliche Nachricht --------Von: Mark Steyn Datum: 14.01.17 00:23 (GMT+01:00) An: privacyidea Betreff: [privacyidea] Re: RADIUS integration question

Sorry dumb question but stuck on this for a while and can’t find solution in docs…

How do I change to behaviour -
LDAP-Password + OTP value

My setup works with
OTP_PIN + OTP_value
Futhermore my ldap resolver works against my Active Directory.

Now stuck at getting radius interface to use
LDAP-Password + OTP value

Help or suggestions gladly received.


On Friday, December 30, 2016 at 7:13:35 AM UTC, Cornelius Kölbel wrote:Hi Brian,
the RADOIS module is pretty dumb. It simply forwards the data the user entered and which was sent to the RADIUS server in User-Name and User-Password to the /validate/check endpoint.Everything else is determined by the privacyIDEA server.
The default behaviour is, that the user passes a
OTP-PIN + OTP value
This can be changed to
LDAP-Password + OTP value
Under certain conditions this can also be a challenge response. In most cases challenge response is not necessary. (Only for SMS and Email).In the challenge response case the /validate/check endpoint first takes the static password. If it is correct it then expects the OTP value.This is the case even without any RADIUS involved.
If the RADIUS is involved, it will return an Access-Challenge. Rougly speeking the is just a protocol translator.
Kind regardsCornelius

Am Donnerstag, 29. Dezember 2016 19:10:31 UTC+1 schrieb Brian Candler:I am going through the privacyidea documentation trying to work out what the behaviour of FreeRADIUS + privacyidea is.
I have read:

but neither of these says what privacyidea actually does in response to an incoming RADIUS request.
Such a request will normally contain a User-Name and a User-Password. And let’s assume I have configured privacyidea with an existing username+password database, say in LDAP or SQL.
Does privacyidea split the User-Password into and parts, i.e. the user is supposed to concatenate them? Or does it respond with an Access-Challenge asking for the OTP? Or does it validate only the token response and not the password? Or something else?
I have looked in the code for and it seems to call the /validate/check endpoint, which in turn is documented at
and I think this REST endpoint takes a concatenation of the password plus OTP (although it talks about “OTP pin” rather than “password”)
But then looking in the module code, further on it seems to generate an Access-Challenge.
Hence I’m pretty confused. A simple description of the behaviour when responding to an incoming RADIUS request would be great. This in turn will help me understand if it can be used in certain RADIUS scenarios, e.g. EAP-TTLS + PAP/GTC.

Please read the blog post about getting help

For professional services and consultancy regarding two factor authentication please visit

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:

You received this message because you are subscribed to a topic in the Google Groups “privacyidea” group.

To unsubscribe from this topic, visit

To unsubscribe from this group and all its topics, send an email to

To post to this group, send email to

Visit this group at

To view this discussion on the web visit

For more options, visit