How to import TOTP tokens from pfSense Freeradius

aldomoro · April 29, 2025, 9:08am

Hi
I have pfSense firewall with Freeradius that we use for PIN+TOTP login to VPN servers based on this firewall. We would like to move our tokens from from pfSense to privacyIDEA. I am able to import following data from pfSense to PI via CSV
user, resolver, domain, serialnumber, secret, type

After import the token is available in the PI and atteched to is user. But this operation does not import user’s pin. Can I import also the pin via CSV file? How? If not, can I add it manually to the token? There is a filed “set a PIN” in the token form, but if I set it, my login does not work.

Thanks for help

Aldomoro

cornelinux · April 29, 2025, 6:00pm

No

Yes

Please elaborate on “my login does not work”. Where are you trying to log in? (Did you check, that the token works without PIN?
What are you doing?
How does your config look like?
What does the audit log say?
…

aldomoro · April 30, 2025, 12:53pm

Hi Cornelinux

Scenario that works for me. I choosed a user in the PI, clicked Add token, choosed Registration. E-mail is sent to the user. User logins to PI webpage, set up PIN and capture QR. Then he is able to log in VPN with PIN+TOTP. If I open his token, I can do test token successfully (PIN+TOTP or even only TOTP).

Scenario that does not work for me. I have this csv file
'# version: 2
john,dc1,company_local,john,XTYMIJ73G4PVLKE6,TOTP

I imported it to the PI. I can see that token was attached to the existed user John. Sofar nice!

If I do test of the TOTP only, I get following error - “500 Internal Server Error: The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.”

My user John has also PIN registered on pfSense. I opened John’s token, filled his PIN twice clicked on the Setup PIN button.

If I do test of PIN+TOTP, I get again the error 500 Internal Server Error

This is what I see ini the log (shorter version)

File "/opt/privacyidea/lib/python3.9/site-packages/privacyidea/lib/tokens/HMAC.py", line 82, in hmac
    dig = self.secretObj.hmac_digest(data_input, self.hashfunc)
  File "/opt/privacyidea/lib/python3.9/site-packages/privacyidea/lib/crypto.py", line 115, in hmac_digest
    self._setupKey_()
  File "/opt/privacyidea/lib/python3.9/site-packages/privacyidea/lib/crypto.py", line 138, in _setupKey_
    self.bkey = binascii.unhexlify(akey)
binascii.Error: Non-hexadecimal digit found

Which config shall I send you?

Do I guess well problem is in the pfSense secret?

Thanks, Aldomoro

cornelinux · May 3, 2025, 3:34pm

Look at the error traceback!

“Non-hexadecimal digit found”.

Look at the documentation. In chapter 13.1.2.

It says that the seed should be in hexadecimal format.

Your file contains something that looks like a base32 encoded string.
You need to re-encode the your base32 encoded string and encode it to hex.

Use your preferred scripting language or tools like base32 and hd or xdd.

aldomoro · May 5, 2025, 7:23am

Thank you cornelinux

I found it helped when python coverted the base32 code do hex. When I manually add a pin to the token, all test pass well and I am able to log in VPN with the PIN and OTP.

Is there any chance to import even PIN?

Thanks, Aldomoro

cornelinux · May 11, 2025, 4:43am

To my knowledge the PIN currently can not be imported.