FreeRADIUS integration (Linux/Windows) — multiOTP open source forum

OTP in the login field

Alex — Fri, 25 Apr 2025 09:30:15 +0000

Is it possible to do with multiotp and MS-CHAPv2? MS-CHAPv2 is for a password. Username: username:OTP Password: password Example for username = john, password = myBigPassword, OTP = 123456 Username: john:123456 Password: myBigPassword

Check Active Directory Group Membership for TunnelGroupName

boycej — Mon, 21 Apr 2025 19:31:18 +0000

i am currently using the Virtual Machine version of Multiotp that has been upgraded. Current configuration below: multiOTP 5.9.9.1 2025-01-20 Web service is ready 2025-04-21 21:15:11, nginx/1.22.1, PHP/8.2.28 Is there any way to use a script within FreeRADIUS to check the Group Membership that multiotop has in the database/files? Such as this script below: elsif (ASA-TunnelGroupName == "Tech_CCS_AnyConnect" && LDAP-Group == "CCS_TECHS") { reject } I am currently using this with LDAP on another FreeRADIUS server without multiotop. Or is there another place I can make sure that the ASA-TunnelGroupName matches with the AD Group membership such as the multiotip.php or the multiotp.pl? Thanks for help.

Multiotp integration with external radius server

muzammel — Thu, 05 Oct 2023 11:01:43 +0000

I have configured the external radius server and i want to integrate with multiotp running on another server, i found that to connect radius with multiotp there is an program (/usr/local/bin/multiotp/multiotp.php) file i want to call from URL like https://multiopt-serverip/ , how i can achieve that ? please guide and help. Thanks.

MultiOTP on Docker

benson — Wed, 24 Mar 2021 16:14:15 +0000

Hello, I see this command below on https://github.com/multiOTP/multiotp/wiki Docker container available: docker run --mount source=multiotp-data,target=/etc/multiotp -p 80:80 -p 443:443 -p 1812:1812/udp -p 1813:1813/udp -d multiotp/multiotp-open-source I don't see any documentation about it. Can somebody point me to the right manual please? I'm sorry I am a newbie on Docker. I need help where to look at. I am installing on a fresh Debian 10 installation. Thank you.

AD setup

nbr — Wed, 18 Apr 2018 09:02:42 +0000

I have been messing around whit this setup and i works great, i'm using it as multifactor for a Cisco VPN solution, my queastien in an AD SYNC setup is it posible to set it up so only the user and the TOTP Token is used for the login, mening skipping the AD password ?

FreeRadius and AD Integration - Sync issue

redcrow — Thu, 21 Dec 2017 15:18:05 +0000

Hello,

we are working on a project to integrate FreeRadius + multiOTP with Active Directory.
Everything seems to work well (e.g., connection and so on), but the sync process does not sync any user.

My Linux Distribution is a Debian 9 64 bit and below you can see the all the software versions:

# php --version
PHP 7.0.19-1 (cli) (built: May 11 2017 14:04:47) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
    with Zend OPcache v7.0.19-1, Copyright (c) 1999-2017, by Zend Technologies

# multiotp -version
LOG 2017-12-21 15:26:15 debug Debug Debug: *parameter(s) received: -version
multiOTP 5.0.4.8 (2017-06-06) [CLI]
19 *INFO: Requested operation successfully done

# freeradius -v
radiusd: FreeRADIUS Version 3.0.12, for host x86_64-pc-linux-gnu, built on Aug 10 2017 at 07:05:06

FreeRADIUS Version 3.0.12

Specifically, the configuration is the following:

# multiotp -config default-request-prefix-pin=1
# multiotp -config default-request-ldap-pwd=1
# multiotp -config ldap-server-type=1
# multiotp -config ldap-cn-identifier="sAMAccountName"
# multiotp -config ldap-group-cn-identifier="sAMAccountName"
# multiotp -config ldap-group-attribute="memberOf"
# multiotp -config ldap-ssl=0
# multiotp -config ldap-port=389
# multiotp -config ldap-domain-controllers="example.com"
# multiotp -config ldap-base-dn="DC=example,DC=com"
# multiotp -config ldap-bind-dn="CN=freeradius,OU=Test,DC=example,DC=com"
# multiotp -config ldap-server-password="passwordhere"
# multiotp -config ldap-in-group="LinuxTestGroup"
# multiotp -config ldap-network-timeout=10
# multiotp -config ldap-time-limit=30
# multiotp -config ldap-activated=1

--> Of course LinuxTestGroup contains some testing users, such as foobar.

and below we show the output of the check/sync commands:

# multiotp -debug -display-log -ldap-check
LOG 2017-12-21 15:59:24 debug Debug Debug: *parameter(s) received: -debug -display-log -ldap-check
19 *INFO: Requested operation successfully done

# multiotp -ldap-user-info foobar
LOG 2017-12-21 15:59:51 debug Debug Debug: *parameter(s) received: -debug -display-log -ldap-user-info foobar
LOG 2017-12-21 15:59:51 debug System Debug: *LDAP cache folder value: /tmp/.ldap_cache/
LOG 2017-12-21 15:59:51 debug Debug Debug: *AD/LDAP connection defined
LOG 2017-12-21 15:59:51 debug Debug Debug: *AD/LDAP GetLdapUsersInfoArray processing
LOG 2017-12-21 15:59:51 debug Debug Debug: *AD/LDAP server is Microsoft AD
LOG 2017-12-21 15:59:51 debug Debug Debug: *AD/LDAP GetLdapUsersInfoArray done ()
19 *INFO: Requested operation successfully done

--> No user info here!!!

# multiotp -ldap-users-list
LOG 2017-12-21 16:02:08 debug Debug Debug: *parameter(s) received: -ldap-users-list
LOG 2017-12-21 16:02:08 debug System Debug: *LDAP cache folder value: /tmp/.ldap_cache/
39 *ERROR: Requested operation aborted
LOG 2017-12-21 16:02:08 debug Debug Debug: *Attributes sent to the RADIUS server: Reply-Message := "ERROR: Requested operation aborted"
Reply-Message := "ERROR: Requested operation aborted"

--> Error Code 39 here!!!

# multiotp -ldap-users-sync
LOG 2017-12-21 16:03:01 debug Debug Debug: *parameter(s) received: -ldap-users-sync
LOG 2017-12-21 16:03:01 debug LDAP Debug: *AD/LDAP synchronization started at 16:03:01 / Memory used: 8.4MB / Peak: 20.1MB
LOG 2017-12-21 16:03:01 info LDAP Info: AD/LDAP synchronization started
LOG 2017-12-21 16:03:01 debug System Debug: *LDAP cache folder value: /tmp/.ldap_cache/
PHP Warning:  ldap_control_paged_result_response(): Result is: Referral (10) in /opt/multiOTP/linux/multiotp.php on line 56
PHP Warning:  ldap_control_paged_result_response(): Result is: Referral (10) in /opt/multiOTP/linux/multiotp.php on line 56
PHP Warning:  ldap_control_paged_result_response(): Result is: Referral (10) in /opt/multiOTP/linux/multiotp.php on line 4
LOG 2017-12-21 16:03:01 info LDAP Info: No update for the 0 LDAP synced users, based on 1 LDAP entries (processed in 00:00:00)
19 *INFO: Requested operation successfully done

--> Some warnings but successfully done... Anyway no synched users!

What's the issue?

Thanks,
Francesco

After Implementing the VHD alwayse get this

belalalali — Sun, 04 Feb 2018 07:30:34 +0000

Hi All; I am done with the installation, when ever i try to enter any multiotp command i get file or directory not found. example: multiotp -version ==> Result: No such file or directory I need help please

Multiotp can not get "NT_KEY"

takabow — Fri, 02 Feb 2018 00:26:04 +0000

Hello. I'm trying to setup multiOTP + FreeRADIUS on CentOS 7. When I run "radtest -t mschap testuser 12345 127.0.0.1 0 testing123" multiotpmschap module returns "Invalid output from ntlm_auth: expecting 'NT_KEY: ' prefix" However, accoding to debug message of FreeRADIUS, NT_KEY is sent to the RADIUS server. here is the debug message of FreeRADIUS -------------------------------------- PHP Warning: Module 'mbstring' already loaded in Unknown on line 0 (2) multiotpmschap: Program returned code (0) and output ' LOG 2018-01-31 05:02:56 debug Debug Debug: *parameter(s) received: testuser -request-nt-key -src=127.0.0.1 -chap-challenge= -chap-password= -ms-chap-challenge=0xe97a929a59d92dad -ms-chap-response=0x00010000000000000000000000000000000000000000000000005b75a41bac340aaf047b4c89de0aa20756fbcc9baf3ebb6c -ms-chap2-response= from 127.0.0.1 LOG 2018-01-31 05:02:56 notice (user testuser) User OK: User testuser successfully logged in with TOTP token from 127.0.0.1 0 *OK: Token accepted LOG 2018-01-31 05:02:56 debug Debug Debug: *Attributes sent to the RADIUS server: NT_KEY: E006844848290D66C085C096E8982A56 from 127.0.0.1 NT_KEY: E006844848290D66C085C096E8982A56 ' (2) multiotpmschap: ERROR: Invalid output from ntlm_auth: expecting 'NT_KEY: ' prefix (2) multiotpmschap: ERROR: MS-CHAP2-Response is incorrect -------------------------------------- My goal is to connect 802.1X network, entering username and one_time_password. (donot need ActiveDirectory password) I syncd multiotp users from Active Directory, and /usr/bin/ntlm_auth is OK. I thought problem is coused by encoding. Becouse I set [mbstring.internal_encoding] of /etc/php.ini "UTF-8" but multiotp write in EUC, so I changed php.ini to EUC, but not effected... Why multiotpmschap module cannot see NT_KEY ? [Products versions] CentOS Linux release 7.4.1708 (Core) multiOTP 5.0.4.8 freeradius.x86_64 3.0.13-8.el7_4 PHP Version 5.4.16 Thanks.

Authentication with ms-chap

klavdijaps — Fri, 03 Nov 2017 14:03:29 +0000

Hello,

I have a problem when trying to authenticate user trough radius with mschap protocol using TOTP token. I am using mysql database for users. Authentication with PAP works perfectly. Maybe i have missed something....

This is content of my multiotp file under modules

exec multiotp {
wait = yes
input_pairs = request
output_pairs = reply
program = "/var/www/html/multiotp/multiotp.php %{User-Name} %{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}"
shell_escape = yes
}

And this is content of multiotp file under policy.d

multiotp_prefix = ''
multiotp.authorize {
if (control:Auth-Type == MS-CHAP) {
update control {
Auth-Type := multiotpmschap
}
}
elsif (!control:Auth-Type) {
update control {
Auth-Type := multiotp
}
}
}

radtest testotp OTP_DIGITS 127.0.0.1 1812 secret returns Access-Accept but radtest -t mschap testotp OTP_DIGITS 127.0.0.1 1812 secret returns the following

Found Auth-Type = multiotp (3) # Executing group from file /etc/raddb/sites-enabled/default (3) Auth-Type multiotp { (3) multiotp: Executing: /var/www/html/multiotp/multiotp.php %{User-Name} %{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}: (3) multiotp: EXPAND %{User-Name} (3) multiotp: --> testotp (3) multiotp: EXPAND %{User-Password} (3) multiotp: --> (3) multiotp: EXPAND -src=%{Packet-Src-IP-Address} (3) multiotp: --> -src=127.0.0.1 (3) multiotp: EXPAND -chap-challenge=%{CHAP-Challenge} (3) multiotp: --> -chap-challenge= (3) multiotp: EXPAND -chap-password=%{CHAP-Password} (3) multiotp: --> -chap-password= (3) multiotp: EXPAND -ms-chap-challenge=%{MS-CHAP-Challenge} (3) multiotp: --> -ms-chap-challenge=0x2ee85e7aa9a2b6e1 (3) multiotp: EXPAND -ms-chap-response=%{MS-CHAP-Response} (3) multiotp: --> -ms-chap-response=0x000100000000000000000000000000000000000000000000000080cca3b95e8097092b15c3616a401670976d006084d6c506 (3) multiotp: EXPAND -ms-chap2-response=%{MS-CHAP2-Response} (3) multiotp: --> -ms-chap2-response= (3) multiotp: ERROR: Failed parsing output from: /var/www/html/multiotp/multiotp.php %{User-Name} %{User-Password} -request-nt-key -src=%{Packet-Src-IP-Address} -chap-challenge=%{CHAP-Challenge} -chap-password=%{CHAP-Password} -ms-chap-challenge=%{MS-CHAP-Challenge} -ms-chap-response=%{MS-CHAP-Response} -ms-chap2-response=%{MS-CHAP2-Response}: Expecting operator (3) multiotp: ERROR: Program returned code (0) and output 'NT_KEY: 9B808D30754AE8E76E8ACB155F5A3D38, ' (3) [multiotp] = fail (3) } # Auth-Type multiotp = fail (3) Failed to authenticate the user (3) Using Post-Auth-Type Reject

FreeRadius and SMS (how it works without challenge-response)

DanielS — Tue, 01 Apr 2014 11:40:58 +0000

by entering sms as the otp password, radius should identify this as a SMS request and multiotp schould send an SMS. However, current setup is not challenge-response enabled. Anyone got it working?