Hi, I’m just starting with this, have installed radius plugin and ldap resolver configured. most thing working as it should, except, the challenge_response OTP from google authenticator not getting validated. using NTRadPing utility to test. I’m setting this up to use it with palo alto vpn mfa.
below is the debug log. have only one TOTP generated for only one user, which is on ldap, and have this policy,
{ “challenge_response”: “hotp totp”, “otppin”: “userstore” }
I have spent 3 days overnight, but couldn’t figure it out. if anyone can help, would really appreciate…
Listening on auth address * port 1812
Listening on proxy address * port 51679
Ready to process requests
(0) Received Access-Request Id 12 from 192.168.240.7:8234 to 192.168.240.251:1812 length 54
(0) User-Name = “my-user-name”
(0) User-Password = “XXXXXXXXXX”
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/privacyidea
(0) authorize {
(0) perl-privacyidea: $RAD_REQUEST{‘User-Name’} = &request:User-Name -> ‘my-user-name’
(0) perl-privacyidea: $RAD_REQUEST{‘User-Password’} = &request:User-Password -> ‘XXXXXXXXXX’
(0) perl-privacyidea: &request:User-Name = $RAD_REQUEST{‘User-Name’} -> ‘my-user-name’
(0) perl-privacyidea: &request:User-Password = $RAD_REQUEST{‘User-Password’} -> ‘XXXXXXXXXX’
(0) [perl-privacyidea] = ok
(0) if (ok || updated) {
(0) if (ok || updated) -> TRUE
(0) if (ok || updated) {
(0) update control {
(0) Auth-Type := Perl
(0) } # update control = noop
(0) } # if (ok || updated) = noop
(0) } # authorize = ok
(0) Found Auth-Type = Perl
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/privacyidea
(0) Auth-Type Perl {
(0) perl-privacyidea: $RAD_REQUEST{‘User-Name’} = &request:User-Name -> ‘my-user-name’
(0) perl-privacyidea: $RAD_REQUEST{‘User-Password’} = &request:User-Password -> ‘XXXXXXXXXX’
(0) perl-privacyidea: $RAD_CHECK{‘Auth-Type’} = &control:Auth-Type -> ‘Perl’
(0) perl-privacyidea: $RAD_CONFIG{‘Auth-Type’} = &control:Auth-Type -> ‘Perl’
rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
rlm_perl: Debugging config: true
rlm_perl: Default URL localhost/validate/check (https removed from the begining)
rlm_perl: Looking for config for auth-type Perl
rlm_perl: RAD_REQUEST: User-Name = my-user-name
rlm_perl: RAD_REQUEST: User-Password = XXXXXXXXXX
rlm_perl: Auth-Type: Perl
rlm_perl: url: localhost/validate/check (https removed from the begining)
rlm_perl: user sent to privacyidea: my-user-name
rlm_perl: realm sent to privacyidea:
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea:
rlm_perl: state sent to privacyidea:
rlm_perl: urlparam pass = XXXXXXXXXX
rlm_perl: urlparam user = my-user-name
rlm_perl: Request timeout: 10
rlm_perl: Not verifying SSL certificate!
rlm_perl: elapsed time for privacyidea call: 0.379901
rlm_perl: Content {“detail”: {“attributes”: null, “message”: "please enter otp: ", “messages”: ["please enter otp: "], “multi_challenge”: [{“attributes”: null, “message”: "please enter otp: ", “serial”: “TOTP0000302C”, “transaction_id”: “05959945740079174960”, “type”: “totp”}], “serial”: “TOTP0000302C”, “threadid”: 140322719241984, “transaction_id”: “05959945740079174960”, “transaction_ids”: [“05959945740079174960”], “type”: “totp”}, “id”: 1, “jsonrpc”: “2.0”, “result”: {“status”: true, “value”: false}, “time”: 1595244101.2548287, “version”: “privacyIDEA 3.3.3”, “versionnumber”: “3.3.3”, “signature”: “rsa_sha256_pss:49010b5f789134f5eb2dbb7efeb144eb41f4e9e3141368c320e3ec852612eacffd99029c0f31a27d1f37e2eb1f407dd57aec4feb373c7c37130f47598341876f35351a302b3ebe3a09b6d691fbf47763de538dff428bf576eaca7128d78e8973cd0336a743f44ad5c40ad317cdb10284a315d8a30daf7814e58dfdea2720c0bf532818b55ab2ce3449652c7019c7413dcf9b681519bbce61e03276e4cebef47fbec70b603c2b68962efde9e4c3f0dfe9779b82b25d24e5e119ee1ba73a539ad93022263e0839eb79a6f24ee1a37203b36a0abd14c3f2d2cd72feeb30c9a99155b041e0e7a1b0577e32d0d244d7a93c0b0efe2dd8694fe907e2c044875f601ba6”}
rlm_perl: privacyIDEA Result status is true!
rlm_perl: ++++ Parsing group: Mapping
rlm_perl: +++++ Found member ‘Mapping user’
rlm_perl: ++++ Parsing group: Attribute
rlm_perl: +++++ Found member ‘Attribute Filter-Id’
rlm_perl: ++++++ Attribute: IF ‘’->’’ == ‘’ THEN ‘Filter-Id’
rlm_perl: ++++++ no directory
rlm_perl: +++++++ User attribute is a string:
rlm_perl: +++++++ trying to match
rlm_perl: ++++++++ Result: No match, no RADIUS attribute Filter-Id added.
rlm_perl: +++++ Found member ‘Attribute otherAttribute’
rlm_perl: ++++++ Attribute: IF ‘’->’’ == ‘’ THEN ‘otherAttribute’
rlm_perl: ++++++ no directory
rlm_perl: +++++++ User attribute is a string:
rlm_perl: +++++++ trying to match
rlm_perl: ++++++++ Result: No match, no RADIUS attribute otherAttribute added.
rlm_perl: +++++ Found member ‘Attribute Class’
rlm_perl: ++++++ Attribute: IF ‘’->’’ == ‘’ THEN ‘Class’
rlm_perl: ++++++ no directory
rlm_perl: +++++++ User attribute is a string:
rlm_perl: +++++++ trying to match
rlm_perl: ++++++++ Result: No match, no RADIUS attribute Class added.
rlm_perl: +++ Map: serial -> privacyIDEA-Serial
rlm_perl: return RLM_MODULE_HANDLED
(0) perl-privacyidea: &request:User-Name = $RAD_REQUEST{‘User-Name’} -> ‘my-user-name’
(0) perl-privacyidea: &request:User-Password = $RAD_REQUEST{‘User-Password’} -> ‘XXXXXXXXXX’
(0) perl-privacyidea: &reply:State = $RAD_REPLY{‘State’} -> ‘05959945740079174960’
(0) perl-privacyidea: &reply:Reply-Message = $RAD_REPLY{‘Reply-Message’} -> 'please enter otp: ’
(0) perl-privacyidea: &reply:privacyIDEA-Serial += $RAD_REPLY{‘privacyIDEA-Serial’} -> ‘TOTP0000302C’
(0) perl-privacyidea: &control:Response-Packet-Type = $RAD_CHECK{‘Response-Packet-Type’} -> ‘Access-Challenge’
(0) perl-privacyidea: &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} -> ‘Perl’
(0) [perl-privacyidea] = handled
(0) } # Auth-Type Perl = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) Sent Access-Challenge Id 12 from 192.168.240.251:1812 to 192.168.240.7:8234 length 0
(0) State = 0x3035393539393435373430303739313734393630
(0) Reply-Message = "please enter otp: "
(0) privacyIDEA-Serial += “TOTP0000302C”
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 12 with timestamp +74
Ready to process requests
(1) Received Access-Request Id 13 from 192.168.240.7:8888 to 192.168.240.251:1812 length 76
(1) User-Name = “my-user-name”
(1) User-Password = “232839”
(1) State = 0x3035393539393435373430303739313734393630
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/privacyidea
(1) authorize {
(1) perl-privacyidea: $RAD_REQUEST{‘User-Name’} = &request:User-Name -> ‘my-user-name’
(1) perl-privacyidea: $RAD_REQUEST{‘User-Password’} = &request:User-Password -> ‘232839’
(1) perl-privacyidea: $RAD_REQUEST{‘State’} = &request:State -> ‘0x3035393539393435373430303739313734393630’
(1) perl-privacyidea: &request:State = $RAD_REQUEST{‘State’} -> ‘0x3035393539393435373430303739313734393630’
(1) perl-privacyidea: &request:User-Name = $RAD_REQUEST{‘User-Name’} -> ‘my-user-name’
(1) perl-privacyidea: &request:User-Password = $RAD_REQUEST{‘User-Password’} -> ‘232839’
(1) [perl-privacyidea] = ok
(1) if (ok || updated) {
(1) if (ok || updated) -> TRUE
(1) if (ok || updated) {
(1) update control {
(1) Auth-Type := Perl
(1) } # update control = noop
(1) } # if (ok || updated) = noop
(1) } # authorize = ok
(1) Found Auth-Type = Perl
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/privacyidea
(1) Auth-Type Perl {
(1) perl-privacyidea: $RAD_REQUEST{‘User-Name’} = &request:User-Name -> ‘my-user-name’
(1) perl-privacyidea: $RAD_REQUEST{‘User-Password’} = &request:User-Password -> ‘232839’
(1) perl-privacyidea: $RAD_REQUEST{‘State’} = &request:State -> ‘0x3035393539393435373430303739313734393630’
(1) perl-privacyidea: $RAD_CHECK{‘Auth-Type’} = &control:Auth-Type -> ‘Perl’
(1) perl-privacyidea: $RAD_CONFIG{‘Auth-Type’} = &control:Auth-Type -> ‘Perl’
rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
rlm_perl: Debugging config: true
rlm_perl: Default URL localhost/validate/check (https removed from the begining)
rlm_perl: Looking for config for auth-type Perl
rlm_perl: RAD_REQUEST: State = 0x3035393539393435373430303739313734393630
rlm_perl: RAD_REQUEST: User-Name = my-user-name
rlm_perl: RAD_REQUEST: User-Password = 232839
rlm_perl: Auth-Type: Perl
rlm_perl: url: localhost/validate/check (https removed from the begining)
rlm_perl: user sent to privacyidea: my-user-name
rlm_perl: realm sent to privacyidea:
rlm_perl: resolver sent to privacyidea:
rlm_perl: client sent to privacyidea:
rlm_perl: state sent to privacyidea: 05959945740079174960
rlm_perl: urlparam pass = 232839
rlm_perl: urlparam user = my-user-name
rlm_perl: urlparam state = 05959945740079174960
rlm_perl: Request timeout: 10
rlm_perl: Not verifying SSL certificate!
rlm_perl: elapsed time for privacyidea call: 0.06422
rlm_perl: Content {“detail”: {“message”: “Response did not match the challenge.”, “serial”: “TOTP0000302C”, “threadid”: 140322685671168, “type”: “totp”}, “id”: 1, “jsonrpc”: “2.0”, “result”: {“status”: true, “value”: false}, “time”: 1595244120.8160853, “version”: “privacyIDEA 3.3.3”, “versionnumber”: “3.3.3”, “signature”: “rsa_sha256_pss:882d9b1e5cfaba9b1a3aedc9ffd16d54a24f6cd0144ce5468d508baa7dc170e9843d533ed0a55a9c685c577abb2dc9ea280b02972a5c282656ccda473eb8336420025625cba7a00879b68715219aa73203b6c078ef699f146516ae003462165fb77ef9ec5a883e59675414ea42cc01d083b2c3687f00da3d941dd009980c7dc1d2b54836537c8b7e2a5757339d2c3b0caf789278ca6572be4b446a1e35201dfacf7184e9309d28fb025594bd78fdd7f84ca96a4c345ae590e73939d5ce13c0f9417a2b69f5bc721a2a3cd3fc9ff23816707b24cdd5e69e860bbae9213d93bc6f96916969cc0f9be300a883b7d218524e4e3f771e6d757e2763c35cbc0a38d2f6”}
rlm_perl: privacyIDEA Result status is true!
rlm_perl: privacyIDEA access denied
rlm_perl: return RLM_MODULE_REJECT
(1) perl-privacyidea: &request:State = $RAD_REQUEST{‘State’} -> ‘0x3035393539393435373430303739313734393630’
(1) perl-privacyidea: &request:User-Name = $RAD_REQUEST{‘User-Name’} -> ‘my-user-name’
(1) perl-privacyidea: &request:User-Password = $RAD_REQUEST{‘User-Password’} -> ‘232839’
(1) perl-privacyidea: &reply:Reply-Message = $RAD_REPLY{‘Reply-Message’} -> ‘Response did not match the challenge.’
(1) perl-privacyidea: &control:Auth-Type = $RAD_CHECK{‘Auth-Type’} -> ‘Perl’
(1) [perl-privacyidea] = reject
(1) } # Auth-Type Perl = reject
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 13 from 192.168.240.251:1812 to 192.168.240.7:8888 length 59
(1) Reply-Message = “Response did not match the challenge.”
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 13 with timestamp +94