hi, all, Any way to handle a second access request? Our user is in AD and VPN will do an MSCHAP authentication first and filter property of User-Name from access request, then call an access-challenge to verify against the other module whose logic is as simple as starting a http request via http://XXX/check/username= <http://xxx/check/username=><USER-NAME>&OTP=<xxxxxx>, if return 200, it's ok. Basically, I want to auth a single login against two modules, only both of them are successful, the auth could be deemed as OK. # site-enabled/default authorize { if (!State) { # MS-CHAP has no User-Password, so it's true. if (!User-Password ) { # If !State and User-Password is null, then goes to MS-CHAP: update { &control:Auth-Type := MS-CHAP } } else { reject } } else { # The 2nd auth module. # I DON'T KNOW HOW TO WRITE. } } } # ### authentication ##### authentication { Auth-Type MS-CHAP { mschap if (ok) { update reply { # Create a random State attribute: State := "%{randstr:XXXXXXXXXXXXX}" Reply-Message := "Please type your OTP:" } # Return Access-Challenge, goes to the 2nd auth. challenge } } } Thanks a lot.