Hello! This is my first post in the maillist (that have solved all of my earlier problems), but now I'm not sure if my error is my mistake, Cisco's mistake or FreeRADIUS's mistake. I've set up a two-factor athentication against our Cisco AnyConnect VPN with access-challenge (this works when I use PAP between Cisco and FreeRADIUS). But with the username and password being sent between the Cisco and the FreeRADIUS-server in cleartext I enabled "Password management" on the Cisco ASA, so it sends the password with MS-CHAPv2. The authentication of the user works with MS-CHAPv2. To make the FreeRADIUS send an challenge after the authentication of the user I did this in sites-enabled/default: authenticate { .... Auth-Type MS-CHAP { mschap challenge } .... } The Cisco ASA recieves the Challenge and promts for and challenge. When I type in the correct challenge the FreeRADIUS sends an Access-Accept, but the Cisco ASA won't allow it. My question is if this is allowed by the standard or is it a bug on Cisco's side? Regards, Lasse Odden