FreeRADIUS two-factor authentication

Two-factor authentication is a common authentication requirement. How do you configure two-factor authentication in freeradius? We present the configuration method in FreeRADIUS with the user password authentication in the ldap directory server and the OTP Code authentication in the OTP server to form a two-factor.

RADIUS defines an interactive protocol for multi-step authentication

1. Access-Request First Authentication

2. Access-Challenge First authentication passed, further authentication requested

3. Access-Request Second Authentication

4. Access-Accept passes the second time

Based on this we define the 2FA process as follows.

The client initiates the first access authentication request Access-Request, taking the username and password with it.

The server side does the authentication via the LDAP module; if it passes, it returns the Access-Challenge with the session tracking status code State.

The client initiates a second Access-Request, bringing the username and OTP Code and the session status code State returned from the first time.

The server side checks the State and does the validation via the OTP module; if it passes, it returns Access-Accept.

An error in any of the above steps or a failed validation returns the Access-Reject.

According to the above procedure, we configure the freeradius server side accordingly.


authorize {

if (!State) {

if (&User-Password) {

update control {

Auth-Type := ldap


else {




else {

# TODO: Check State.

update control {

# OTP Auth, python script based.

Auth-Type := otp_auth




authenticate {

Auth-Type ldap {

# ldap authentication


if (ok) {

update reply {

State := "%"

Reply-Message := "Please enter OTP"


update control {

Response-Packet-Type := Access-Challenge




Auth-Type otp_auth {




Configuration of the ldap module


ldap {

server = ' IP of openldap Server'

# Other User binding settings.


Configuration of the otp_auth module. The default installation does not have the otp_auth module. We need to develop such a module ourselves; or use a perl or python module to implement the appropriate functionality.

Documentation for the perl module

The key configuration is to point to the perl module we are developing


perl {

module =


Documentation for python modules

In addition, those familiar with Apache or Nginx will find that the configuration structure of FreeRADIUS is similar to them. The expressiveness provided by FreeRADIUS for the request processing is based on unlang. unlang is compatible with its configuration syntax and further provides the ability to handle simple logic. The reference documentation for unlang is at

Additional references.

1、The first declaration of the little programmer
2、The largest intelligent grain drying center in China put into operation in the three summers
3、Are the days of lottery counterfeiting over The blockchain lottery is coming out of the woodwork
4、How much do you know about cybersecurity in the HSS system for National Cybersecurity Week 2018
5、How to choose the right US server for you

    已推荐到看一看 和朋友分享想法
    最多200字,当前共 发送