Hello everyone,
I am facing an issue with OTP-based authentication in my OpenVPN setup using PrivacyIDEA. At random intervals, users attempting to connect via OpenVPN receive the error:
“RADIUS access denied: wrong otp value”
However, after retrying the connection a few times, the issue resolves itself, and the user is able to authenticate successfully. This inconsistency has been problematic, especially after upgrading PrivacyIDEA and migrating our database to a Galera Cluster.
Background:
Previously, I was using Ubuntu 20 with a local MySQL database for PrivacyIDEA, and everything was working fine without any issues. The version of PrivacyIDEA in use was 3.7.2, and the FreeRADIUS version was 3.0.3. However, after installed clean install new machines with Ubuntu 24 and upgrading the database to a Galera Cluster with a remote database, as well as upgrading the DB schema, I began encountering the intermittent “wrong OTP value” errors.
The current setup after migration includes FreeRADIUS 3.2.3 and the latest PrivacyIDEA 3.10, and since then, I’ve observed the OTP authentication errors occurring randomly.
Issue:
Despite the fact that the previous configuration worked smoothly, the new setup seems to cause occasional OTP mismatches, leading to the error. I am unsure whether this is related to the Galera Cluster migration, the FreeRADIUS upgrade, or OpenVPN settings, but I am seeking advice on how to resolve these intermittent issues.
We are using YubiKey, and I have a policy in PrivacyIDEA to bypass the OTP with the setting otppin:none.
I’d appreciate any advice or solutions on how to ensure consistent OTP-based authentication, If anyone has encountered similar issues or has insights into troubleshooting this problem please let me know.
Thanks!