Wrong OTP Value" Error in OpenVPN with PrivacyIDEA After Migration

Hello everyone,

I am facing an issue with OTP-based authentication in my OpenVPN setup using PrivacyIDEA. At random intervals, users attempting to connect via OpenVPN receive the error:

“RADIUS access denied: wrong otp value”

However, after retrying the connection a few times, the issue resolves itself, and the user is able to authenticate successfully. This inconsistency has been problematic, especially after upgrading PrivacyIDEA and migrating our database to a Galera Cluster.

Background:
Previously, I was using Ubuntu 20 with a local MySQL database for PrivacyIDEA, and everything was working fine without any issues. The version of PrivacyIDEA in use was 3.7.2, and the FreeRADIUS version was 3.0.3. However, after installed clean install new machines with Ubuntu 24 and upgrading the database to a Galera Cluster with a remote database, as well as upgrading the DB schema, I began encountering the intermittent “wrong OTP value” errors.

The current setup after migration includes FreeRADIUS 3.2.3 and the latest PrivacyIDEA 3.10, and since then, I’ve observed the OTP authentication errors occurring randomly.
Issue:

Despite the fact that the previous configuration worked smoothly, the new setup seems to cause occasional OTP mismatches, leading to the error. I am unsure whether this is related to the Galera Cluster migration, the FreeRADIUS upgrade, or OpenVPN settings, but I am seeking advice on how to resolve these intermittent issues.

We are using YubiKey, and I have a policy in PrivacyIDEA to bypass the OTP with the setting otppin:none.

I’d appreciate any advice or solutions on how to ensure consistent OTP-based authentication, If anyone has encountered similar issues or has insights into troubleshooting this problem please let me know.

Thanks!

I can only try a well educated guess.

I guess you were running a single node previously?
And now you switched to a redundant setup with Galera and two or three privacyIDEA nodes.

You are using RADIUS and I guess you are running two FreeRADIUS nodes that communicate to the corresponding privacyIDEA node?

What can happen with a redundant RADIUS setup and OTP is the following:

With RADIUS being UDP the RADIUS client (your OpenVPN server) can simply stop waiting for the first response. It will send a 2nd but same request to the second RADIUS server.

Thus in your privacyIDEA cluster two requests with the same OTP value arrive. It could now happen, that the second reuqest is processed while within privacyIDEA the first request will just havee been processed. Within privacyIDEA the 2nd request with the same OTP value will result in “wrong otp value”. You can verify this in the audit log, if in this occasions you actually have two requests.

The response to the 2nd request will be sent back to the RADIUS client (openvpn servcer) with the result “wrong otp”.

You can aviud this by:

  1. choosing a high enough RADIUS timeout on the RADIUS client
  2. choosing the RADIUS reytry value to be 1 (“one”).

My setup:
I have 2 PrivacyIDEA RADIUS servers with Keepalived (Master-Backup) and 3 DB servers running in a Galera Cluster, with additional Keepalived for database failover.

When clients perform authentication tests to RADIUS, the traffic only goes to the primary PrivacyIDEA server with the radius. If this server goes down, the traffic switches to the secondary PrivacyIDEA server, ensuring continuous service with RADIUS. the PrivacyIDEA configured to with with the remote DB - keepalived ip

Example for log:

[2024-12-27 01:15:30,107][46633][139408443442880][INFO][privacyidea.lib.user:272] user ‘test’ found in resolver ‘Token_Users’
[2024-12-27 01:15:30,108][46633][139408443442880][INFO][privacyidea.lib.user:274] userid resolved to ‘518’
[2024-12-27 01:15:30,233][46633][139408443442880][INFO][privacyidea.lib.tokens.yubikeytoken:297] CRC checksum for token ‘UBAMdldl16’ failed
[2024-12-27 01:15:30,350][46633][139408443442880][INFO][privacyidea.lib.auditmodules.loggeraudit:87] {“action”: “POST /validate/check”, “action_detail”: “”, “authentication”: “ACCEPT”, “client”: “127.0.0.1”, “duration”: “-1 day, 22:00:00.252275”, “info”: “matching 1 tokens”, “policies”: “authorization”, “privacyidea_server”: “localhost”, “realm”: “token_users_realm”, “resolver”: “Token_Users”, “serial”: “UBAM05873866”, “startdate”: “2024-12-27T01:15:30.097829”, “success”: true, “thread_id”: “139408443442880”, “timestamp”: “2024-12-26T23:15:30.350094”, “token_type”: “yubikey”, “user”: “bandit”, “user_agent”: “FreeRADIUS”, “user_agent_version”: null}
Thanks for any advice or insights.