I am going through the privacyidea documentation trying to work out what
the behaviour of FreeRADIUS + privacyidea is.
I have read:
but neither of these says what privacyidea actually does in response to
an incoming RADIUS request.
Such a request will normally contain a User-Name and a User-Password. And
let’s assume I have configured privacyidea with an existing
username+password database, say in LDAP or SQL.
Does privacyidea split the User-Password into and
parts, i.e. the user is supposed to concatenate them? Or does it respond
with an Access-Challenge asking for the OTP? Or does it validate only the
token response and not the password? Or something else?
I have looked in the code for privacyidea_radius.pm and it seems to call
the /validate/check endpoint, which in turn is documented at
and I think this REST endpoint takes a concatenation of the password plus
OTP (although it talks about “OTP pin” rather than “password”)
But then looking in the module code, further on it seems to generate an
Hence I’m pretty confused. A simple description of the behaviour when
responding to an incoming RADIUS request would be great. This in turn will
help me understand if it can be used in certain RADIUS scenarios, e.g.
EAP-TTLS + PAP/GTC.