Dear all (FreeRADIUS 3.0.26 on Ubuntu 22.04) I am trying to get a MFA setup working with an initial LDAP direct bind against Microsoft AD (MAD) and then a second pass with the same username and a OTP. I can get both the LDAP and OTP working fine individually. I am using the wiki Howto: https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy as a model. This howto uses "State" to determine which Auth-Type it is at in the process. At the end of the howto there is a section that describes filtering out the State attribute for Pre-Proxy and I think this is where I am getting things wrong. I'm not sure what "State" is. I am unable to find docs about it but it is the only input difference I can see when running "freeradius -fX" so I think I need to filter it out. I'm not sure why I should filter it out either! If attr_filter is what I should do to get this to work, I'd be grateful for some help. I've also deviated from the howto example by trying to decompose "challenge" into what it actually does: update control { Response-Packet-Type := Access-Challenge { With the site-enabled config below, the debug logs show that the initial user/pass against LDAP works fine and State gets set to a 16 random char. Then it tries to do a second pass and I can see the username and password (which is now the PIN for the OTP) passed through and so is the "State" that got set by stage one. This second pass fails and when I compare the logs against just the OTP method that works, "State" is the only additional input. Cheers Jon # LDAP with direct bind as the user logging in - Active Directory # then prompt for a PIN, and pass that to PrivacyIdea # JG 04 Jun 2024 server active-directory { listen { type = auth ipaddr = 10.77.10.10 port = 1812 clients = external } authorize { if (!State) { if (&User-Password) { update control { Ldap-UserDN := "%{User-Name}@blueloop.net" Auth-Type := AD } } else { reject } } else { #### attr_filter.access_challenge ? #################### I think this is where I am going wrong perl-privacyidea if (ok || updated) { update control { Auth-Type := Perl } } } } authenticate { Auth-Type AD { ldap if (ok) { update reply { State := "%{randstr:aaaaaaaaaaaaaaaa}" Reply-Message := "Please enter PIN" } update control { Response-Packet-Type := Access-Challenge } } } Auth-Type Perl { perl-privacyidea } } }