Hello all. I have a short question. I want to use multiotp as an authentication-module in freeradius on a debian-wheezy system. multiotp itself works properly. The authentication works as expected. But now the question: I want to filter the different users to groups using the "users"-file of freeradius, for example: DEFAULT Auth-type = multiotp, Group-Name := "allowed-users" Reply-Message = "Your multiotp-account has been enabled." DEFAULT Auth-type = multiotp, Group-Name := "forbidden-users" Reply-Message = "Your multiotp-account has been disabled." We are very free for setting an attribute-name in multiotp - but I don't know, which attribute-name do I have to set. I tested with different attribute names (like "Group-Name" in the example above). But nothing works. I only get the reply-message "Your multiotp-account has been enabled", everytime - even if the user is member of the group "allowed-users" or "forbidden-users". These are the last lines of debug-output. The user is member of the group "forbidden-users": [...] rad_recv: Access-Request packet from host 127.0.0.1 port 46615, id=111, length=77 User-Name = "testuser" User-Password = "1234740472" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0xdff73ff20f7d54045b999eae4cc891be # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 58 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++- entering policy multiotp.authorize {...} +++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> FALSE +++? if (!control:Auth-Type) -> FALSE ++- policy multiotp.authorize returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = multiotp # Executing group from file /etc/freeradius/sites-enabled/default +- entering group multiotp {...} [multiotp] expand: %{User-Name} -> testuser [multiotp] expand: %{User-Password} -> 1234740472 [multiotp] expand: -src=%{Packet-Src-IP-Address} -> -src=127.0.0.1 [multiotp] expand: -chap-challenge=%{CHAP-Challenge} -> -chap-challenge= [multiotp] expand: -chap-password=%{CHAP-Password} -> -chap-password= [multiotp] expand: -ms-chap-challenge=%{MS-CHAP-Challenge} -> -ms-chap-challenge= [multiotp] expand: -ms-chap-response=%{MS-CHAP-Response} -> -ms-chap-response= [multiotp] expand: -ms-chap2-response=%{MS-CHAP2-Response} -> -ms-chap2-response= Exec-Program output: Group-Name = "forbidden-users" Exec-Program-Wait: value-pairs: Group-Name = "forbidden-users" Exec-Program: returned: 0 ++[multiotp] returns ok Login OK: [testuser] (from client localhost port 0) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 111 to 127.0.0.1 port 46615 Class = 0x656e61626c6564 Reply-Message = "Your multiotp-account has been enabled." Finished request 0. Going to the next request Waking up in 4.9 seconds. So, I think I am using the wrong attribute-keyword. Can anybody tell me, which keyword do I have to use? Regards, Stefan