Dear Alan! Please find the debug of the successful mschap authentication below. The Duo Auth removed from the post auth section. Ready to process requests (0) Received Access-Request Id 209 from 10.101.168.3:59819 to 10.148.64.67:1812 length 161 (0) Service-Type = Framed-User (0) Framed-Protocol = PPP (0) User-Name = "Peter Dudas" (0) NAS-IP-Address = 89.212.168.XYZ (0) NAS-Port = 0 (0) MS-CHAP-Challenge = 0x8ef379a65af2caa31bc58658cecfb468 (0) MS-CHAP2-Response = 0x3200b3c3cbfae01b4a336b36a956fd00a6010000000000000000b8e93f963a8a27ecd54c3bda0ffed73bf110dfae7bc9868b (0) Proxy-State = 0xfe80000000000000953e77ad63f094ba000000d1 (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) [preprocess] = ok (0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log: --> /var/log/freeradius/radacct/ 10.101.168.3/auth-detail-20170105 (0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.101.168.3/auth-detail-20170105 (0) auth_log: EXPAND %t (0) auth_log: --> Thu Jan 5 00:10:27 2017 (0) [auth_log] = ok (0) if (User-Name != "" && Service-Type !* "") { (0) if (User-Name != "" && Service-Type !* "") -> FALSE (0) else { (0) if (MS-CHAP2-Response != "" && MS-CHAP-Challenge != "") { (0) if (MS-CHAP2-Response != "" && MS-CHAP-Challenge != "") -> TRUE (0) if (MS-CHAP2-Response != "" && MS-CHAP-Challenge != "") { (0) if (NAS-IP-Address == "89.212.168.XYZ" && Framed-Protocol == "PPP") { (0) if (NAS-IP-Address == "89.212.168.XYZ" && Framed-Protocol == "PPP") -> TRUE (0) if (NAS-IP-Address == "89.212.168.XYZ" && Framed-Protocol == "PPP") { (0) if (Service-Type == "Framed-User" && Packet-Type == "Access-Request" ) { (0) EXPAND Packet-Type (0) --> Access-Request (0) if (Service-Type == "Framed-User" && Packet-Type == "Access-Request" ) -> TRUE (0) if (Service-Type == "Framed-User" && Packet-Type == "Access-Request" ) { (0) if (MS-CHAP-Challenge != "" && NAS-PORT == "0" ) { (0) if (MS-CHAP-Challenge != "" && NAS-PORT == "0" ) -> TRUE (0) if (MS-CHAP-Challenge != "" && NAS-PORT == "0" ) { (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) if (ok) { (0) if (ok) -> TRUE (0) if (ok) { (0) update reply { (0) Filter-Id := "L2TP-Users" (0) } # update reply = noop (0) } # if (ok) = noop (0) } # if (MS-CHAP-Challenge != "" && NAS-PORT == "0" ) = ok (0) } # if (Service-Type == "Framed-User" && Packet-Type == "Access-Request" ) = ok (0) } # if (NAS-IP-Address == "89.212.168.XYZ" && Framed-Protocol == "PPP") = ok (0) } # if (MS-CHAP2-Response != "" && MS-CHAP-Challenge != "") = ok (0) } # else = ok (0) } # authorize = ok (0) Found Auth-Type = mschap (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Auth-Type mschap { (0) mschap: Creating challenge hash with username: Peter Dudas (0) mschap: Client is using MS-CHAPv2 (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{request:User-Name} --domain=site.domain.local --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of=site.domain.local\l2tp-users: (0) mschap: EXPAND --username=%{request:User-Name} (0) mschap: --> --username=Peter Dudas (0) mschap: Creating challenge hash with username: Peter Dudas (0) mschap: EXPAND --challenge=%{mschap:Challenge:-00} (0) mschap: --> --challenge=a378e306f1156a0d (0) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00} (0) mschap: --> --nt-response=b8e93f963a8a27ecd54c3bda0ffed73bf110dfae7bc9868b (0) mschap: Program returned code (0) and output 'NT_KEY: A1A055BBCC2133B2E1FCD8213C6B03FE' (0) mschap: Adding MS-CHAPv2 MPPE keys (0) [mschap] = ok (0) } # Auth-Type mschap = ok (0) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (0) post-auth { (0) reply_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d (0) reply_log: --> /var/log/freeradius/radacct/ 10.101.168.3/reply-detail-20170105 (0) reply_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.101.168.3/reply-detail-20170105 (0) reply_log: EXPAND %t (0) reply_log: --> Thu Jan 5 00:10:27 2017 (0) [reply_log] = ok (0) [exec] = noop (0) reply_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d (0) reply_log: --> /var/log/freeradius/radacct/ 10.101.168.3/reply-detail-20170105 (0) reply_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.101.168.3/reply-detail-20170105 (0) reply_log: EXPAND %t (0) reply_log: --> Thu Jan 5 00:10:27 2017 (0) [reply_log] = ok (0) } # post-auth = ok (0) Login OK: [Peter Dudas/<via Auth-Type = mschap>] (from client dc1 port 0) (0) Sent Access-Accept Id 209 from 10.148.64.67:1812 to 10.101.168.3:59819 length 0 (0) Filter-Id := "L2TP-Users" (0) MS-CHAP2-Success = 0x32533d37394230393541463633444633413145353737343239303830353046363142434245353136424336 (0) MS-MPPE-Recv-Key = 0xbe1f6bc006bce75b35eea9768b019de5 (0) MS-MPPE-Send-Key = 0x76698eb2f646753c148e41dc1184bf5a (0) MS-MPPE-Encryption-Policy = Encryption-Required (0) MS-MPPE-Encryption-Types = 4 (0) Proxy-State = 0xfe80000000000000953e77ad63f094ba000000d1 (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 209 with timestamp +70 I don't see any difference in the reply - checked the logs. With this I was able to login from and Android phone. MPPE encryption type I changed to Required (at module mschap) - but as you can see it is working with that as well. This is the only defference at the reply packet. Peter Dudas