Hello Ivan.
Forcing Auth-Type in users file should work. Thanks for this advice. I changed my users file to use MOTP as the DEFAULT-Auth-Type (first entry of the users file).
/etc/freeradius/users --------------------- DEFAULT Auth-Type = MOTP Exec-Program-Wait = "/usr/local/bin/otpverify.sh '%{User-Name}' '%{User-Password}' '%{Secret}' '%{PIN}' '%{Offset}'", Fall-Through = yes user1 Secret:=143a5c6fa125ac1f, PIN:=1234, Offset:=0 This part of my problem seems to be solved. Freeradius now uses MOTP as the Auth-Type. But the "old" problem is always present: freeradius doesn't call the external authentication script (otpverify.sh) with the needed arguments (Secret, PIN and Offset): [...] Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.82.40 port 1026, id=35, length=77 User-Name = "user1" User-Password = "secret" Service-Type = Authenticate-Only NAS-Identifier = "linux.local" NAS-IP-Address = 192.168.82.40 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "user1", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound users: Matched entry DEFAULT at line 2 expand: /usr/local/bin/otpverify.sh '%{User-Name}' '%{User-Password}' '%{Secret}' '%{PIN}' '%{Offset}' -> /usr/local/bin/otpverify.sh 'user1' 'secret' '' '' '' users: Matched entry user1 at line 6 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rad_check_password: Found Auth-Type MOTP auth: type "MOTP" +- entering group MOTP expand: %{User-Name} -> user1 expand: %{User-Password} -> secret expand: %{Secret} -> expand: %{PIN} -> expand: %{Offset} -> expr: syntax error Usage: printf [ options ] format [string ...] Exec-Program output: FAIL Exec-Program-Wait: plaintext: FAIL Exec-Program: returned: 1 ++[motp] returns reject auth: Failed to validate the user. Login incorrect: [user1/secret] (from client 192.168.82.40 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> user1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Any ideas ?? Thank you all, Stefan