Hey all, ive set up a radius daemon to verify OTPs. It's all working just fine, except for the log entries on failure to give the correct OTP. Here is the virtual server ive set up: server oath { client XXXXXXXX { secret = XXXXXXXXXX shortname = oath } listen { type = auth ipaddr = * port = 4000 } listen { type = acct ipaddr = * port = 4001 } authorize { preprocess if (!("%{request:User-Password}" =~ /^[0-9]{10,10}$/)) { update control { Auth-Type := Reject } } else { files } } accounting { radutmp exec } post-auth { exec } } The actual OTP script is run from the users file, as per the directions of the script author. DEFAULT Auth-Type = Accept Exec-Program-Wait = "/usr/sbin/multiotp -log %{User-Name} %{User-Password}", Reply-Message = "Hello, %{User-Name}" This works fine. If I give the correct pin+OTP I can login, and wrong one I cant. Freeradius -X on wrong OTP says: server oath { # Executing section authorize from file /etc/freeradius/sites-enabled/oath +- entering group authorize {...} ++[preprocess] returns ok ++? if (!("%{request:User-Password}" =~ /^[0-9]{10,10}$/)) expand: %{request:User-Password} -> 1234383980 ?? Evaluating ("%{request:User-Password}" =~ /^[0-9]{10,10}$/) -> TRUE ? Converting !TRUE -> FALSE ++? if (!("%{request:User-Password}" =~ /^[0-9]{10,10}$/)) -> FALSE ++- entering else else {...} [files] users: Matched entry DEFAULT at line 203 [files] expand: /usr/sbin/multiotp -log %{User-Name} %{User-Password} -> /usr/sbin/multiotp -log cor XXXXXXXX [files] expand: Hello, %{User-Name} -> Hello, cor +++[files] returns ok ++- else else returns ok Found Auth-Type = Accept Auth-Type = Accept, accepting the user Login OK: [cor] (from client oath port 10) # Executing section post-auth from file /etc/freeradius/sites-enabled/oath +- entering group post-auth {...} Exec-Program output: Exec-Program: returned: 26 [exec] Login incorrect (external check said so) ++[exec] returns reject } # server oath Sending Access-Reject of id 151 to 194.109.42.42 port 42619 Reply-Message = "Hello, cor" Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 151 with timestamp +6 Im using 'exec' in post-auth to use the return code of the script to reject the login. I dont know of another way to do this. Unfortunately this does mean that im seeing this in syslog: Jul 17 20:55:58 otpauth1 freeradius[24891]: Login OK: [cor] (from client oath port 10) Is there a way to have freeradius properly give a login rejected msg in syslog? Regards, Cor