Hi, I have been scouring the Internet for a few days now looking for information about setting up 2 FA with AD (ntlm_auth) and Yubikey I found this , which was very useful but it seems to rely on adding the yubikey to the AD account . I was hoping to be able to do it without making changes to the AD accounts Is this possible ? http://lists.freeradius.org/pipermail/freeradius-users/2021-February/099521.... Basically, the workflow that I am looking for is 1. configure Apache website with AddRadiusAuth pointing to radius server (DONE) 2. configure freeradius ntlm_auth ( by leveraging samba/winbind) (DONE) I was able to connect to the website using my AD credentials 3. configure self-hosted yubico server to validate yubikeys (DONE) tested 3. install and configure freeradius yubikey This I am not sure how to test 4. configure freeradius to authenticate via ntlm_auth and, if successful, via yubikey This where I am stuck Here are some details 10.10.30.111 - Yubikey validation server 10.10.30.112 - where Apache website is hosted 10.10.30.114 - FreeRADIUS Version 3.0.16 ".. ntlm_auth: Program executed successfully (0) [ntlm_auth] = ok (0) if (ok) { (0) if (ok) -> TRUE (0) if (ok) { (0) update reply { (0) EXPAND %{randstr:aaaaaaaaaaaaaaaa} (0) --> t6cJ6I2cWiGii1aG (0) State := 0x7436634a364932635769476969316147 (0) Reply-Message := "Please enter OTP" (0) } # update reply = noop (0) policy challenge { (0) update control { (0) &Response-Packet-Type = Access-Challenge (0) } # update control = noop (0) [handled] = handled (0) } # policy challenge = handled (0) } # if (ok) = handled (0) } # Auth-Type ntlm_auth = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 105 from 10.10.30.114:1812 to 10.10.30.112:1026 length 0 (0) State := 0x7436634a364932635769476969316147 (0) Reply-Message := "Please enter OTP" (0) Finished request Waking up in 4.9 seconds. .." sites-enabled excerpt if (!control:Auth-Type) { update control { Auth-Type = "ntlm_auth" } } } authenticate { Auth-Type ntlm_auth { ntlm_auth if (ok) { update reply { State := "%{randstr:aaaaaaaaaaaaaaaa}" Reply-Message := "Please enter OTP" } challenge } } Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap digest ntlm_auth yubikey eap ..." /mods-enabled/yubikey "... yubikey { id_length = 12 split = yes decrypt = no validate = yes validation { servers { uri = ' http://10.10.30.111/wsapi/2.0/verify?id=%d&otp=%s' } client_id = 1 api_key = 'my_key' pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 spread = yes } } } ..." Any guidance / help will be greatly appreciated Also, if there is a better scalable/ enterprise ready way to configure freeradius 2FA with AD and Yubikey I'll be happy to look into it Many thanks Steven