RADIUS + TOTP Authentication Fails with Timeout in Pritunl

Rk2025 · June 2, 2025, 4:43pm

Hi,

I setuped a Pritunl server with Radius authentification and it works.
I wanted to add totp but I can’t log anymore.
I am getting the error below :

[ancient-waves-1802][2025-06-02 17:55:46,776][INFO] Authenticating user
user_name = “XXACCOUNTXX”
factors = [“radius”, “otp”]
[ancient-waves-1802][2025-06-02 17:56:01,792][ERROR] Radius auth check error
Traceback (most recent call last):
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/user/user.py”, line 597, in sso_auth_check
return sso.verify_radius(self.name, password)[0]
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/sso/radius.py”, line 41, in verify_radius
reply = conn.SendPacket(req)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/pyrad/client.py”, line 187, in SendPacket
return self._SendPacket(pkt, self.authport)
File “/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/pyrad/client.py”, line 175, in _SendPacket
raise Timeout

Any idea of what it is going on ?

zach · June 2, 2025, 5:30pm

If this is for a push type multi-factor authentication on the Radius server the timeout will need to be increased. The Radius timeout can be increased by running sudo pritunl set app.sso_radius_timeout 5, the default is 5 seconds.

The profile may need to be re-imported into the client if configuration sync did not work. Otherwise it may send the password incorrectly. When using other OpenVPN clients refer to the two-step-authentication documentation on information on how to enter the password and OTP code.

If not the error is from a timeout with the connection to the Radius server, turning on the Google Authenticator option shouldn’t effect this.

Rk2025 · June 3, 2025, 9:47am

The Google Authenticator option is already on. And I wanted to make work from the pritunl server not from the Radius server.

Rk2025 · June 3, 2025, 10:03am

This is log on server when I try to connect :

[ancient-waves-1802] 2025-06-03 11:50:45 us=42352 Connection Attempt MULTI: multi_create_instance called
[ancient-waves-1802] 2025-06-03 11:50:45 us=42452 XX.XX.XX.XX:35399 Re-using SSL/TLS context
[ancient-waves-1802] 2025-06-03 11:50:45 us=42518 XX.XX.XX.XX:35399 Outgoing Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
[ancient-waves-1802] 2025-06-03 11:50:45 us=42529 XX.XX.XX.XX:35399 Incoming Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
[ancient-waves-1802] 2025-06-03 11:50:45 us=42795 XX.XX.XX.XX:35399 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
[ancient-waves-1802] 2025-06-03 11:50:45 us=42807 XX.XX.XX.XX:35399 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1600 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
[ancient-waves-1802] 2025-06-03 11:50:45 us=831578 XX.XX.XX.XX:35399 VERIFY OK: depth=1, O=67ceef3456c0630e15255e89, CN=67ceef3456c0630e15255e8e
[ancient-waves-1802] 2025-06-03 11:50:45 us=832019 XX.XX.XX.XX:35399 VERIFY OK: depth=0, O=67ceef3456c0630e15255e89, CN=67ceef3656c0630e15255e9b
[ancient-waves-1802] 2025-06-03 11:50:45 us=832516 XX.XX.XX.XX:35399 peer info: IV_VER=2.6.12
[ancient-waves-1802] 2025-06-03 11:50:45 us=832524 XX.XX.XX.XX:35399 peer info: IV_PLAT=mac
[ancient-waves-1802] 2025-06-03 11:50:45 us=832528 XX.XX.XX.XX:35399 peer info: IV_TCPNL=1
[ancient-waves-1802] 2025-06-03 11:50:45 us=832530 XX.XX.XX.XX:35399 peer info: IV_MTU=1600
[ancient-waves-1802] 2025-06-03 11:50:45 us=832532 XX.XX.XX.XX:35399 peer info: IV_NCP=2
[ancient-waves-1802] 2025-06-03 11:50:45 us=832535 XX.XX.XX.XX:35399 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC:AES-128-CBC
[ancient-waves-1802] 2025-06-03 11:50:45 us=832537 XX.XX.XX.XX:35399 peer info: IV_PROTO=990
[ancient-waves-1802] 2025-06-03 11:50:45 us=832540 XX.XX.XX.XX:35399 peer info: IV_LZO_STUB=1
[ancient-waves-1802] 2025-06-03 11:50:45 us=832542 XX.XX.XX.XX:35399 peer info: IV_COMP_STUB=1
[ancient-waves-1802] 2025-06-03 11:50:45 us=832544 XX.XX.XX:35399 peer info: IV_COMP_STUBv2=1
[ancient-waves-1802] 2025-06-03 11:50:45 us=832546 XX.XX.XX.XX:35399 peer info: IV_HWADDR=4a:3d:3f:3e:69:2e
[ancient-waves-1802] 2025-06-03 11:50:45 us=832548 XX.XX.XX.XX:35399 peer info: IV_SSL=OpenSSL_3.3.2_3_Sep_2024
[ancient-waves-1802] 2025-06-03 11:50:45 us=832562 XX.XX.XX.XX:35399 peer info: UV_ID=75dff930d19848f493985c8bda8271d0
[ancient-waves-1802] 2025-06-03 11:50:45 us=832566 XX.XX.XX.XX:35399 peer info: UV_NAME=calm-waters-8813
[ancient-waves-1802] 2025-06-03 11:50:45 us=832601 XX.XX.XX.XX:35399 TLS: Username/Password authentication deferred for username ‘MbzRADrG/FJHW5d4tNsHLabldAb+OoV4SCR4FhT2VgI’
[ancient-waves-1802] 2025-06-03 11:50:45 us=832608 XX.XX.XX.XX:35399 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
[ancient-waves-1802] 2025-06-03 11:50:45 us=832629 XX.XX.XX.XX:35399 NOTE: --mute triggered…
[ancient-waves-1802] 2025-06-03 11:50:45 us=884107 XX.XX.XX.XX:35399 2 variation(s) on previous 8 message(s) suppressed by --mute
[ancient-waves-1802] 2025-06-03 11:50:45 us=884125 XX.XX.XX.XX:35399 [67ceef3656c0630e15255e9b] Peer Connection Initiated with [AF_INET6]::ffff:78.243.136.245:35399
[ancient-waves-1802] 2025-06-03 11:50:47 us=154171 78.243.136.245:35399 PUSH: Received control message: ‘PUSH_REQUEST’
[ancient-waves-1802] 2025-06-03 11:50:52 us=714225 XX.XX.XX.XX:35399 PUSH: Received control message: ‘PUSH_REQUEST’
[ancient-waves-1802] 2025-06-03 11:50:58 us=322218 XX.XX.XX.XX:35399 NOTE: --mute triggered…
[ancient-waves-1802] 2025-06-03 11:51:00 ERROR User auth failed “Failed secondary authentication”
[ancient-waves-1802] 2025-06-03 11:51:00 us=861806 1 variation(s) on previous 8 message(s) suppressed by --mute
[ancient-waves-1802] 2025-06-03 11:51:00 COM> SUCCESS: client-deny command succeeded
[ancient-waves-1802] 2025-06-03 11:51:00 us=861823 MANAGEMENT: CMD ‘client-deny 0 1 “Failed secondary authentication”’
[ancient-waves-1802] 2025-06-03 11:51:00 us=861834 MULTI: connection rejected: Failed secondary authentication, CLI:[NULL]
[ancient-waves-1802] 2025-06-03 11:51:03 us=934172 XX.XX.XX.XX:35399 Delayed exit in 5 seconds
[ancient-waves-1802] 2025-06-03 11:51:03 us=934202 XX.XX.XX.XX:35399 SENT CONTROL [UNDEF]: ‘AUTH_FAILED’ (status=1)
[ancient-waves-1802] 2025-06-03 11:51:03 us=934211 XX.XX.XX.XX:35399 SENT CONTROL [67ceef3656c0630e15255e9b]: ‘AUTH_FAILED’ (status=1)
[ancient-waves-1802] 2025-06-03 11:51:03 us=934216 XX.XX.XX.XX:35399 NOTE: --mute triggered…
[ancient-waves-1802] 2025-06-03 11:51:06 us=154161 1 variation(s) on previous 8 message(s) suppressed by --mute
[ancient-waves-1802] 2025-06-03 11:51:06 us=154193 read UDPv6 [ECONNREFUSED]: Connection refused (fd=5,code=111)
[ancient-waves-1802] 2025-06-03 11:51:08 us=271408 XX.XX.XX.XX:35399 SIGTERM[soft,delayed-exit] received, client-instance exiting

zach · June 3, 2025, 10:08am

Try turning off Google Authenticator and check if the connection works. This appears to only be a timeout to the Radius server.

Rk2025 · June 3, 2025, 10:11am

It works, but I without otp.

And I have to enable “Bypass Secondary Authentification” before

Rk2025 · June 3, 2025, 12:23pm

I did a test with the OpenVpn client still not working but I get this error on server logs :

[ancient-waves-1802] 2025-06-03 14:16:19 ERROR User auth failed “Challenge OTP code”

I am using Google authenticator to get the totp code and I have also Authy.