Hi, I am new to freeradius and after going through docs and user faq I was not able to solve this issue after multiple checks in my config. freeradius version is 3.0.13 I am using Linux ( from Amazon AWS HVM2 64 bit ) and using the EC2 box My VPC CIDR range (or client machines are ) : 10.0.0.0/16 I used the scripts below to install yum install -y freeradius freeradius-utils google-authenticator sssd httpd sed -i.bak -e 's/user = radiusd/user = root/' -e 's/group = radiusd/group = root/' /etc/raddb/radiusd.conf sed -i.bak -e "s/^#\tpam/\tpam/" /etc/raddb/sites-available/default yum install https:// dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm -y yum install google-authenticator -y Configurations made were as following I have modified /etc/raddb/clients.config to accept ip ranges from my CIDR client vpc_clients { ipaddr = 10.0.0.0/16 secret = testing12345 } Enabled PAM in file/etc/sites-available/default by removing the '#' pam comment Enabled PAM as default authentication type in /etc/raddb/users by removing comment on DEFAULT Group and adding DEFAULT Auth-Type := PAM line DEFAULT Group == "disabled", Auth-Type := Reject Reply-Message = "Your account has been disabled." DEFAULT Auth-Type := PAM Also changed the /etc/pam.d/radiusd for PAM integration auth requisite pam_google_authenticator.so account required pam_permit.so session required pam_permit.so Enabled PAM module ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled/pam The test was ok (Accept-request) when a local user like 'bob' was added to raduser file without PAM. So as next step I added testuser for google-autheticator as below sudo useradd -g radius-users testuser sudo -u testuser google-authenticator I tried the command radtest testuser <PIN from googleauthenticator> 10.0.24.144:1812 10 testing12345 I get following error No "known good" password found for the use. I rechecked the configs and authenticator PAM is enabled but the failure happens earlier. Please let me know how I could move ahead or where I should check next ? Debug Message : 2) Received Access-Request Id 4 from 10.0.24.144:60632 to 10.0.0.209:1812 length 72 (2) NAS-IP-Address = 10.0.24.144 (2) User-Name = "testuser" (2) User-Password = "81625808" (2) Message-Authenticator = 0xa15c37032939718e521cb83a03b31e74 (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "testuser", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: No EAP-Message, not doing EAP (2) [eap] = noop (2) [files] = noop (2) [expiration] = noop (2) [logintime] = noop (2) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (2) pap: WARNING: Authentication will fail unless a "known good" password is available (2) [pap] = noop (2) } # authorize = ok (2) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (2) Failed to authenticate the user (2) Using Post-Auth-Type Reject (2) # Executing group from file /etc/raddb/sites-enabled/default (2) Post-Auth-Type REJECT { (2) attr_filter.access_reject: EXPAND %{User-Name} (2) attr_filter.access_reject: --> testuser (2) attr_filter.access_reject: Matched entry DEFAULT at line 11 (2) [attr_filter.access_reject] = updated (2) [eap] = noop (2) policy remove_reply_message_if_eap { (2) if (&reply:EAP-Message && &reply:Reply-Message) { (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (2) else { (2) [noop] = noop (2) } # else = noop (2) } # policy remove_reply_message_if_eap = noop (2) } # Post-Auth-Type REJECT = updated (2) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (2) Sending delayed response (2) Sent Access-Reject Id 4 from 10.0.0.209:1812 to 10.0.24.144:60632 length 20 Waking up in 3.9 seconds. (2) Cleaning up request packet ID 4 with timestamp +84 Ready to process requests (3) Received Access-Request Id 5 from 10.0.24.144:51706 to 10.0.0.209:1812 length 72 (3) NAS-IP-Address = 10.0.24.144 (3) User-Name = "testuser" (3) User-Password = "81625808" (3) Message-Authenticator = 0x315376d568418fcf0cbbd174d5c7826f (3) # Executing section authorize from file /etc/raddb/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "testuser", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: No EAP-Message, not doing EAP (3) [eap] = noop (3) [files] = noop (3) [expiration] = noop (3) [logintime] = noop (3) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (3) pap: WARNING: Authentication will fail unless a "known good" password is available (3) [pap] = noop (3) } # authorize = ok (3) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (3) Failed to authenticate the user (3) Using Post-Auth-Type Reject (3) # Executing group from file /etc/raddb/sites-enabled/default (3) Post-Auth-Type REJECT { (3) attr_filter.access_reject: EXPAND %{User-Name} (3) attr_filter.access_reject: --> testuser (3) attr_filter.access_reject: Matched entry DEFAULT at line 11 (3) [attr_filter.access_reject] = updated (3) [eap] = noop (3) policy remove_reply_message_if_eap { (3) if (&reply:EAP-Message && &reply:Reply-Message) { (3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (3) else { (3) [noop] = noop (3) } # else = noop (3) } # policy remove_reply_message_if_eap = noop (3) } # Post-Auth-Type REJECT = updated (3) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (3) Sending delayed response (3) Sent Access-Reject Id 5 from 10.0.0.209:1812 to 10.0.24.144:51706 length 20 Waking up in 3.9 seconds. (3) Cleaning up request packet ID 5 with timestamp +553 Ready to process requests