I was under the impression that, with EAP, it encapsulates the password in the EAP transmission. If I can only do EAP, then that means it can never send it in the clear. Which means, if I want to send the radius server the password in the clear (since its OTP) what I am doing can’t be done. Is this correct?
Alex, When you receive an EAP access request, FreeRADIUS will pass the request on to the 'inner-tunnel' server (defined in /etc/raddb/sites-available/inner-tunnel). If you have an OTP server, you can then proxy the inner tunnel request to the OTP server. Of course, you then lose any of the protection that EAP-TTLS provides, but then again, if you're using PAP only, all bets are off anyway. Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Janet, the UK's research and education network. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238