Thanks Alan, Your advise was spot on. I moved/added the ldap.authenticate so that both steps use the Proxy-To-Realm and this meant the correct Access-Challenge response is sent during the first step. if (!State) { if (&User-Password) { # If !State and User-Password (PAP), then force LDAP: update control { Ldap-UserDN := "%{User-Name}@my-domain.com" Auth-Type := LDAP } ldap.authenticate if (!ok) { reject } } else { reject } } update control { Proxy-To-Realm := "proxy-test" } I kept 2 rejects for both a missing User-Password and an invalid LDAP bind. the Proxy-To-Realm always fires off. [user@test-vm ~]$ echo "User-Name=testuser,User-Password=testpassword" |radclient -x 127.0.0.1:1812 auth test1234 Sent Access-Request Id 35 from 0.0.0.0:52833 to 127.0.0.1:1812 length 46 User-Name = "testuser" User-Password = "testpassword" Cleartext-Password = "testpassword" Received Access-Challenge Id 35 from 127.0.0.1:1812 to 0.0.0.0:0 length 117 Reply-Message = "Enter a response from your token with serial number 01234-45678." State = 0x49475261646975733a4445562d455345432d483230333a313831323a31 (0) -: Expected Access-Accept got Access-Challenge [user@test-vm ~]$ echo "User-Name=testuser,User-Password=27938732,State=0x49475261646975733a4445562d455345432d483230333a313831323a31" |radclient -x 127.0.0.1:1812 auth test1234 Sent Access-Request Id 178 from 0.0.0.0:33432 to 127.0.0.1:1812 length 77 User-Name = "testuser" User-Password = "27938732" State = 0x49475261646975733a4445562d455345432d483230333a313831323a31 Cleartext-Password = "27938732" Received Access-Accept Id 178 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 Thanks again, Bill