Hi Ivan.
exec motp { wait = yes program = "/usr/local/bin/otpverify.sh %{User-Name} %{User-Password} %{reply:Secret} %{reply:PIN} %{reply:Offset}" input_pairs = request output_pairs = config }
You have changed them to reply items ...
/etc/freeradius/users: DEFAULT Auth-Type = Accept Exec-Program-Wait = "/usr/local/bin/otpverify.sh '%{User-Name}' '%{User-Password}' '%{reply:Secret}' '%{reply:PIN}' '%{reply:Offset}'", Fall-Through = Yes
user1 Secret:=143a5c6fa125ac1f, PIN:=1234, Offset:=0
... but configured them as check items. Revert to original exec line and place user entry *above* DEFAULT entry.
Thanks for your advice. I configured the users-file described above, but it didn't work. Now I can see, that freeradius never calls the external script. It seems, that freeradius never uses the "MOTP"-Auth-type: [...] Ready to process requests. rad_recv: Access-Request packet from host 192.168.82.40 port 1026, id=109, length=78 User-Name = "user1" User-Password = "secret" Service-Type = Authenticate-Only NAS-Identifier = "debian.local" NAS-IP-Address = 192.168.82.40 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "user1", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated users: Matched entry user1 at line 3 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "secret" rlm_pap: Using CRYPT encryption. rlm_pap: Passwords don't match ++[pap] returns reject auth: Failed to validate the user. Login incorrect (rlm_pap: CRYPT password check failed): [user1/secret] (from client 192.168.82.40 port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> user1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.82.40 port 1026, id=109, length=78 Waiting to send Access-Reject to client 192.168.82.40 port 1026 - ID: 109 Sending delayed reject for request 0 Sending Access-Reject of id 109 to 192.168.82.40 port 1026 Waking up in 4.9 seconds. Cleaning up request 0 ID 109 with timestamp +17 Ready to process requests. Do I need to configure something in the authorize-section or somewhere else ?? Thank you for your help. Stefan