On Mon, 15 Jun 2009, Stefan Kuegler wrote:
exec motp { wait = yes program = "/usr/local/bin/otpverify.sh %{User-Name} %{User-Password} %{reply:Secret} %{reply:PIN} %{reply:Offset}" input_pairs = request output_pairs = config } It seems, that freeradius never uses the "MOTP"-Auth-type: auth: type "PAP" +- entering group PAP
Not an expert on motp. But should it be mistaken for 'PAP'?
It got "mistaken" for pap because user1 line in users file had a crypt password in it (I don't know what it's doing there - probably shouldn't be).
Perhaps you need to put your check for 'motp' in the auth section *before* PAP?
Forcing Auth-Type in users file should work. If you need both pap (password known to the server) and MOTP (password to be verified by external script) working user entry can be replaced with unlang statement after pap in authorize (both can't be made to work in 1.x).
Or remove the reference to PAP altogether if you never use it....?
The policy of the list is "that you should make minimal changes to default configuration until you make things work; then remove one by one things you think you don't need, making sure everything you need still works". In that way, if you mess up it is easy to backtrack. Listing motp in authorize before pap is likely to achieve - nothing. There is nothing to suggest that something called "otpverify" can set Auth-Type to MOTP. So, better not go that way. Ivan Kalik Kalik Informatika ISP