Bug #9583

Freeradius 3 auth error on OTP (only on PFSense 2.5-dev)

Added by Luca De Andreis about 1 year ago. Updated 6 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Affected Version:
Affected Architecture:


Freeradius 3 on PFSense 2.5-dev using OTP (Google auth) fail auth (works correctly on simple autentication not OTP).
The same configuration on 2.4.4-p3 works perfectly


#1 Updated by Viktor Gurov 6 months ago

  • Affected Version set to 2.4.5

issue for both Google Authenticator and mOTP
on the latest 2.4.5 and 2.5

# radtest -t pap guser1 1234713723 10000 123
Sent Access-Request Id 104 from to length 76
    User-Name = "guser1" 
    User-Password = "1234713723" 
    NAS-IP-Address =
    NAS-Port = 10000
    Message-Authenticator = 0x00
    Cleartext-Password = "1234713723" 
Received Access-Reject Id 104 from to length 20
(0) -: Expected Access-Accept got Access-Reject

in logs:

Login incorrect (Failed retrieving values required to evaluate condition): [guser1] (from client local port 10000)

no such issue on 2.4.4-p3

changes in the FreeBSD RADIUS binary?

on 2.4.4-p3:

# radiusd -v
radiusd: FreeRADIUS Version 3.0.17, for host amd64-portbld-freebsd11.2, built on May 13 2019 at 16:47:37
FreeRADIUS Version 3.0.17

on 2.4.5:

# radiusd -v
radiusd: FreeRADIUS Version 3.0.20, for host amd64-portbld-freebsd11.3, built on Jan  2 2020 at 14:43:22
FreeRADIUS Version 3.0.20

#2 Updated by Viktor Gurov 6 months ago

mOTP is ok

this is python3.7 code issue:

/usr/local/etc/raddb/scripts/ guser1 BIRVHQM2NSOM3JUO 1234 1234938913
Traceback (most recent call last):
  File "/usr/local/etc/raddb/scripts/", line 54, in <module>
    auth = authenticate(sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])
  File "/usr/local/etc/raddb/scripts/", line 34, in authenticate
    offset = ord(hm[-1]) & 0x0F
TypeError: ord() expected string of length 1, but int found

2.4.4-p3 uses python2.7

#3 Updated by Jim Pingle 6 months ago

  • Status changed from New to Feedback
  • Assignee set to Jim Pingle
  • Target version set to 2.4.5
  • % Done changed from 0 to 100
  • Affected Architecture All added
  • Affected Architecture deleted ()

I knew GA had a python 3.x issue but just hadn't got around to fixing it yet. It was a simple change:


I ran the script through 2to3 and it didn't flag anything. After removing that ord() call, it works as expected. I can auth at the CLI and via Diag > Auth only with valid GA codes generated within the expected time frame.

#4 Updated by Jim Pingle 6 months ago

  • Status changed from Feedback to Resolved

Works fine on _9.

Also available in: Atom PDF