How to trouble-shoot authentication on the RADIUS server?
After configuring the RADIUS server for external authentication through the otpverify.sh-script, you can start the RADIUS server in debug-mode by entering “radiusd -sxxy” and try to authenticate users. Use the “radtest” program for local debugging, that comes with the XTRadius distribution. • If authentication fails with a script-return-code of “1”, make sure that PIN, Init-Secret and offset are correct. It is most likely that you have to configure an offset other than “0” for this user. See How to synchronize server clock and token clock? for details. • If the script returns “3”, the account of this user has been locked as there have been 8 or more failed authentication attempts by this user. Delete the corresponding file in /var/motp/users to unlock the user account again. • A return code of “4” says that the otpverify.sh-script has not been called with 5 arguments. Check the configuration of the external authentication in the “users”-file of the RADIUS server. • A return code of “5”
