I think I¹ve found a solution. I¹m posting it here for mostly a sanity check and to share if anyone else is having issues combining a YUBIKEY Hashed One Time Password (HOTP) for a token caching service. This is very similar to the offering that Steel Belted Radius provides. FreeRadius Version: freeradius-2.2.6-1 Must be compiled with ‹with-edir and have the rlm_cache caching module available. eDirectory server configured with HOTP NMAS Method ( https://www.netiq.com/communities/cool-solutions/using-yubico-yubikey-with- edirectory-for-two-factor-authentication/ ) The main driver behind this solution was using two factor authentication with Thinlinc. Their solution requires that a OTP be used twice. Their documentation recommends steel belted radius that has this feature build in for them. I¹d rather use a freeRadius solution. 1) Get PAP working with ldap. (not comparing extracted passwords) 2) copy the modules/cache to modlues/hotpcache cache hotpcache{ key = "%{User-Name}/%{urlquote:%{User-Password}}² ttl = 5 epoch = 0 add-stats = no update { reply:Reply-Message += "I'm the cached reply from %t" control:Class := 0x010203 } } 3) Here is the default site that uses the new cache module authorize { preprocess eap { ok = return } ldap hotpcache if (ok) { update control { Auth-Type := Accept Cache-Status-Only !* ANY Cache-TTL = 0 } hotpcache # remove entry ok } else { update control { Cache-Status-Only !* ANY } } expiration logintime pap } authenticate { Auth-Type PAP { ldap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } eap } preacct { preprocess acct_unique suffix files } accounting { detail exec attr_filter.accounting_response } session { radutmp } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject update control { Cache-TTL = 0 } hotpcache update control { Cache-TTL !* ANY } } hotpcache } pre-proxy { } post-proxy { eap }