Hi, We unfortunately have network devices which exclusively support MSCHAPv2 but have had excellent success using freeradius 3.0.17 with Samba Winbind. I presume freeRADIUS has built-in support to masquerade the presented username, as the mschap config file references the following: winbind_username = "%{mschap:User-Name}" winbind_domain = "%{mschap:NT-Domain}" I'm aware of MS-CHAPv2 proving knowledge of the password and previously assumed that it only applied to the password hash exchanges. My Google-Fo however lead me to an article titled Understanding PEAP In-Depth, where values initiators and radius generate is summarised as: Initiator: AuthenticatorChallenge = b''.fromhex('f5 b8 ad ee e9 ff 08 15 dd 83 e8 2d 89 6e eb 2a') PeerChallenge = b''.fromhex('e3 32 bf 8e c5 37 e5 72 1d 0d 9a 0e e4 40 46 d6') chap = MSCHAPV2(UserName, Password, AuthenticatorChallenge, PeerChallenge) PasswordHash = chap.NtPasswordHash(Password) Challenge = chap.ChallengeHash(PeerChallenge, AuthenticatorChallenge, UserName) NTResponse = chap.ChallengeResponse(Challenge, PasswordHash) print ('Challenge : '+Challenge.hex()) print ('NTResponse: '+NTResponse.hex()) radius: AuthenticatorChallenge = b''.fromhex('f5 b8 ad ee e9 ff 08 15 dd 83 e8 2d 89 6e eb 2a') PeerChallenge = b''.fromhex('e3 32 bf 8e c5 37 e5 72 1d 0d 9a 0e e4 40 46 d6') chap = MSCHAPV2(UserName, Password, AuthenticatorChallenge, PeerChallenge) NTResponse = b''.fromhex('6c da db 80 dd 53 10 b8 05 f2 a0 da 9b b4 5e ad 51 ee 65 34 4c 95 e6 00') PasswordHash = chap.NtPasswordHash(Password) AuthenticatorResponse = chap.GenerateAuthenticatorResponse(Password, NTResponse, PeerChallenge, AuthenticatorChallenge, UserName) print('Authenticator Response: ' + AuthenticatorResponse) I presume FR generates the AuthenticatorResponse after obtaining the NTResponse from winbind, after feeding it winbind_username? If that is the case, would it be feasible to replace winbind_username and have FR handle all the wizardry? I'd like to essentially transform a MSCHAPv2 client using USERNAME/PASSWORD to winbind authenticating this as USER2/PASSWORD. Why? I was hoping to implement 2FA by using my AD password as per normal, only replacing my username with the 44 char string that a YubiKey touch operation spits out via the USB HID keyboard. The prefix of this string is a globally unique 12 character fixed ID, unique to each key. This way I could lookup the username prefix in a file and then set winbind_username as the AD account name that key belong to. Thought process was to reject requests were the prefix wasn't found, then authenticate to AD using the username we looked up, check group membership and finally validate the Yubico OTP (the username supplied originally) against YubiCo validation servers. [cid:image001.png@01D703BA.131606D0] References: * Understanding PEAP In-Depth https://sensepost.com/blog/2019/understanding-peap-in-depth/ * Yubico OTPs Explained https://developers.yubico.com/OTP/OTPs_Explained.html Regards David Herselman