hello,
how can i configurate my privacyidea to perform ldap password and totp.
the ldap resolver and radius works fine at my fortigate, but i can login only with the unsername and totp key.
thanks marcus
Hi marcusr,
look at our documentation:
https://privacyidea.readthedocs.io/en/latest/policies/authentication.html?highlight=otppin
Br
Julio
it works
thank you 
Ok I am completely new to Radius here and I read that doc which it looks like I need to change the auth in a policy to be Passthrough for users who do not have a token but I would like to make it so they pass the user/TOKENPIN then get asked for the OTP.
I am trying to use on a FortiGate SSL AND Horizon View
Does anyone have an example policy ?
Could you please tell me what configurations have you made in PI and radius?
sorry for the inconvenience - but how did this setup work?
Within my current setup, the Fortigate recognises the RADIUS server (based on FreeRadius w/ privacyIdea extension) and returns during the Test User Credentials the message:
Code: 3
ID: 28
Length: 35
Auth: 56 25 87 D1 F9 13 81 37 5C D3 31 61 D6 2A 76 6B
AVP: l=15 t=Reply-Message(18)
Value: 'wrong otp pin'
which looks fine to me. But how looks the complete setup for a VPN with user and password with TOTP?
Regards, Guenther
You need to do PAP.
1 Like
Correct. Leading to an answer like:
Code: 2
ID: 77
Length: 81
Auth: 18 75 E4 F5 30 66 B1 D5 C7 37 8C A6 E5 67 C3 A4
AVP: l=20 t=Vendor-Specific(26) v=(44929)
VSA: l=14 t=unknown(1)
Value: 54 4f 54 50 30 36 37 32 33 37 39 32
AVP: l=28 t=Reply-Message(18)
Value: 'privacyIDEA access granted'
AVP: l=13 t=Vendor-Specific(26) v=Fortinet(12356)
VSA: l=7 t=Fortinet-Group-Name(1)
Value: 'Staff'
I am not sure if you said
a) what are you trying to achieve and
b) what did you do.
c) what did happen?