Hi All, I've been following Thomas Glanzmann's work on sms/email otp with freeradius and can see it could REALLY save our organisation a lot of money (we're using securid tokens exclusively ATM). I'm trying to work out something to suit us and at the same time be helpful to others into making something useful, not that I'm a coder particularly. Can I just ask if anyone has any ideas about implementing a beginning process like this; Authorization : - Check user is in an ldap group "allowed" to do otp; using the files, and ldap modules. I'm thinking pass back the phone number for sms from the ldap module, and place in a custom attribute. Ok on that bit Authentication: - Assuming user has a phone number in ldap and is allowed to do OTP, and if the request is new and, they authenticate, then we want to generate an OTP and store it. I guess the generation *could* be done in exec or perl modules quite easily or using xlat, but not sure how to do it using that. Then the user, otp failed attempts and maybe lock state are stored, preferably in a sql table. If request isn't new, how many tries have they already had? - The ordering is the tricky thing here - we need to authenticate the user before an otp is generated, then challenge against that otp, incrementing the failure count if the auth fails and then rechallenging up to the failure limit and then setting auth-type if we pass the user. I can't do unlang in the authentication phase and presumably the post auth section may not be the place to do all these other checks and sql bits. I can see why it's perhaps easier to do all this in exec or perl modules and just return an exit code, but I'd like to see if it can all be done within FR. Once the challenge fails, we need to prompt again until the retry limit.. - At some point we need to return control variables from the to determine the account lock state and failed attempts if the user fails and then revisits the NAS - from the SQL module, where I'd like to see the session data stored. I guess this is possible but am not 100% on how it's done. These are just ramblings. I'd forgive people for just ignoring this post, but hopefully someone is interested enough to get something like this working - it's a great cheap way of 2 factor authentication and it'd be nice not to have to go and buy software to do this. I know Thomas Glanzmann has already got this going with rlm_perl and the smsotp module methods using a file based db, but I'd like to see ldap authorization and variable passback (phone numbers/ email addresses if using email OTP) filling an sql DB, or maybe rlm_cache (of which I've no knowledge and I think is experimental?) for storage of variables. Also some post auth sql storage of cumulative sessions, failed attempts etc, if possible all using FR natively without perl/exec etc, which wouldn't be too difficult. Am I dreaming or can this be done completely within FR without using perl/exec/..? Cheers Andy