Hi, I've got working 2 factor (challenge-response) authentication by rlm_perl module (https://github.com/LinOTP/linotp-auth-freeradius-perl). I'm trying to secure this communication within tunnel (EAP-TTLS), but it ends with a message: No tunneled reply was found for request. If I disable challenge-response while using EAP-TTLS it works like a charm - Auth-Type linotp2 ends with ok state, and sends Access-Accept through tunnel. I've got no idea why it's not working with Access-Challenge reply and I think I've already tried every possible setup. This is my ttls config: ttls { tls = "tls-common" default_eap_type = "gtc" copy_request_to_tunnel = yes use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } and debug output: (5) perl: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 'password' (5) perl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'username' (5) perl: &request:Framed-MTU = $RAD_REQUEST{'Framed-MTU'} -> '1200' (5) perl: ERROR: Failed to create pair - failed to parse time string "sie 10 2022 11:23:48 CEST" (5) perl: ERROR: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 'sie 10 2022 11:23:48 CEST' (5) perl: &request:Framed-IP-Address = $RAD_REQUEST{'Framed-IP-Address'} -> 'some_IP' (5) perl: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Framed-User' (5) perl: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> 'linotp' (5) perl: &request:FreeRADIUS-Proxied-To = $RAD_REQUEST{'FreeRADIUS-Proxied-To'} -> '127.0.0.1' (5) perl: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> 'some_IP' (5) perl: &reply:State = $RAD_REPLY{'State'} -> '81561830980360' (5) perl: &reply:Reply-Message = $RAD_REPLY{'Reply-Message'} -> 'Multiple challenges submitted.' (5) perl: &control:Response-Packet-Type = $RAD_CHECK{'Response-Packet-Type'} -> 'Access-Challenge' (5) perl: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'linotp2' (5) [perl] = handled (5) } # Auth-Type linotp2 = handled (5) } # server inner-tunnel (5) Virtual server sending reply (5) State = 0x3831353631383330393830333630 (5) Reply-Message = "Multiple challenges submitted." (5) eap_ttls: No tunneled reply was found for request 5 , and the request was not proxied: rejecting the user. (5) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (5) eap: Sending EAP Failure (code 4) ID 5 length 4 (5) eap: Failed in EAP select (5) [eap] = invalid (5) } # authenticate = invalid (5) Failed to authenticate the user Thanks for any advice and tips. Przemek