MSCHAPv2 Module with Stripped-Username - no ActiveDirectory

Markus Maurer lists at
Sat Nov 10 21:28:51 CET 2018

Yes, but its not possible using pap in my case anyway..:/

Cause linotp just verifys the otp over rlm_perl and it hasnt stored the password of the user in its database, so the second step is to verify only the user ft. password against the sql database.

Do you have any idea how to setup something like this?


Best regards 

> Am 10.11.2018 um 20:45 schrieb Alan DeKok <aland at>:
>> On Nov 9, 2018, at 5:54 PM, Markus Maurer <lists at> wrote:
>> thank you very much for the fast answer! :)
>> I thought it‘s not possible to put the otp in the password-attribute, as it comes as an mschap challenge, and not in cleartext - so the server cant match the password  anymore?!
>  True.  Which is why most people use PAP for OTP.
>> Is it possible to modify the eap identity before its getting to the eap module?
>  Sure.  But again... the MS-CHAP calculations are done on the User-Name as supplied by the end user.  Modifying things on the RADIUS server won't affect the calculations done by the end user.
>> I got a similar setup working with AD, but I call the ntlm_auth with a stripped-username there, thats why it is working there.
>  Why not just do the MS-CHAP calculations on the whole User-Name?  Why strip off the OTP?
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list