Hi,
can anybody confirm totp working on a fresh default install of 23.x? I installed opnsense in a kvm base vm.
I did all the steps to setup totp but its not working. the test is failing. i tried:
-multipe auth apps (google, ms)
-diffrent user
-reset to factory defaults
-token as suffix&prefix
-time settings on smartphone and opnsense
Error is always: Authentication failed.
any ideas?
Yo
Hi
Have you checked the dates on both ends?
BTW, I use FreeOTP (Ver 2.0.1 (42)) on Android - works well & appears stable.
PeterF
Bumping this as I had the same issue today.
i tried FreeOTP (Ver 2.0.1 (42)) on Android and was not able to add the token via QR Code. If i add the token manual (TOTP/6 Digits/SHA-1) it shows the same code as the Google Authenticator.
yes i checked the dates on both ends.
The answer is wrong password 99,99% of the time.
Either due to differing keyboard mappings (for special characters in particular), wrong time on one end (for TOTP), token order reversal (for TOTP) or selecting the wrong authentication server (expecting a different one).
Just use the built-in tester on the OPNsense itself. If it works the problem lies elsewhere and if not let us know. ;)
Cheers,
Franco
@franco, i can give you access, feel free to test yourself, the firewall is absoulte default config, even the root pwd is unchanged.
Is the server clock running with exact time?
Time on the Dashboard and the devices where the Auth App is running is the same.
> the firewall is absoulte default config
It's still one of those things I mentioned ;) First make sure the tester works, then inspect password for special characters, check settings for auth (where, what, who). If you don't have an OTP token for the user this will fail, but that would be easily confirmable by the tester...
Cheers,
Franco
wth the only thing im using is the tester.
if time window is not the default value (30sec), totp is broken for me.
Then perhaps your client doesn't support it. Remember when you said "the firewall is absoulte default config". I do. :)
Cheers,
Franco
which client franco? im using the internal tester..
please read yourself franco im saying the test is failing in my first post.
Because you changed the setting and didn't tell us? ¯\_(ツ)_/¯
Cheers,
Franco
the problem was that in the rfc states a time window of 30sec, if you set another time window you cannot use authenticator apps like the google authenticator because there 30sec is fixed. If you use FreeOTP you can change the time window to another value. For me FreeTOP is not working with the QR Code from Opnsense, but adding the code manually with another time window should work. since this setting is causing problems, i would suggest to a bigger hint, which gives attention to the fact that other values than 30 are not RFC conform and not working with the most authenticator apps.
Quote from: franco on March 28, 2023, 09:59:44 AM
Because you changed the setting and didn't tell us? ¯\_(ツ)_/¯
Cheers,
Franco
haha true, i didnt know RFC 6238 in detail a this time, but stating 3 times the same wasnt really helpfull.