Hi list : ) With mschap, to avoid calling an expensive external program for both my authorize and authenticate (multiotp), it is appealing to set "MS-CHAP-Use-NTLM-Auth := No" in the control items, and the mschap module will do the authentication itself without calling ntlm_auth, however I have failed thus far to get this working: how to I make the Cleartext-Password available? I have set this in my policy.conf: policy { # Change to a specific prefix if you want to deal with normal PAP authentication as well as OTP # e.g. "multiotp_prefix = 'otp:'" multiotp_prefix = '' multiotp.authorize { # This test force multiOTP for any MS-CHAP(v2) attempt if (control:Auth-Type == MS-CHAP) { update control { Auth-Type := multiotpmschap MS-CHAP-Use-NTLM-Auth := No } } # This test force multiOTP for any MS-CHAP(v2) attempt elsif (control:Auth-Type == mschap) { update control { Auth-Type := multiotpmschap MS-CHAP-Use-NTLM-Auth := No } } . . . radtest appears to send the a Cleartext-Password (actually an OTP token which has been accepted in the authorize section): # radtest -x -t mschap bob $(./totp.py) localhost 0 testing123 Sent Access-Request Id 76 from 0.0.0.0:37601 to 127.0.0.1:1812 length 129 User-Name = "bob" MS-CHAP-Password = "631266" NAS-IP-Address = 10.118.240.180 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "631266" MS-CHAP-Challenge = 0x674bc434692c64f3 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000027167c876e56981640f36d071e8335dfa39b7c5bdac381bf Received Access-Reject Id 76 from 127.0.0.1:1812 to 0.0.0.0:0 length 61 MS-CHAP-Error = "\000E=691 R=1 C=24b53a75a9d80580 V=2" (0) -: Expected Access-Accept got Access-Reject However the server component appears not to expose Cleartext-Password for my use. From raddebug: (3) Sun Feb 2 02:19:01 2020: Debug: Received Access-Request Id 76 from 127.0.0.1:37601 to 127.0.0.1:1812 length 129 (3) Sun Feb 2 02:19:01 2020: Debug: User-Name = "bob" (3) Sun Feb 2 02:19:01 2020: Debug: NAS-IP-Address = 10.118.240.180 (3) Sun Feb 2 02:19:01 2020: Debug: NAS-Port = 0 (3) Sun Feb 2 02:19:01 2020: Debug: Message-Authenticator = 0x784a3fcd0eaa0a74d07afa17da59adad (3) Sun Feb 2 02:19:01 2020: Debug: MS-CHAP-Challenge = 0x674bc434692c64f3 (3) Sun Feb 2 02:19:01 2020: Debug: MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000027167c876e56981640f36d071e8335dfa39b7c5bdac381bf (3) Sun Feb 2 02:19:01 2020: Debug: # Executing section authorize from file /etc/raddb/sites-enabled/default (3) Sun Feb 2 02:19:01 2020: Debug: authorize { (3) Sun Feb 2 02:19:01 2020: Debug: policy filter_username { . . . (3) Sun Feb 2 02:19:02 2020: Debug: } # authorize = ok (3) Sun Feb 2 02:19:02 2020: Debug: Found Auth-Type = mschap (3) Sun Feb 2 02:19:02 2020: Debug: # Executing group from file /etc/raddb/sites-enabled/default (3) Sun Feb 2 02:19:02 2020: Debug: Auth-Type mschap { (3) Sun Feb 2 02:19:02 2020: WARNING: multiotpmschap: No Cleartext-Password configured. Cannot create NT-Password (3) Sun Feb 2 02:19:02 2020: WARNING: multiotpmschap: No Cleartext-Password configured. Cannot create LM-Password (3) Sun Feb 2 02:19:02 2020: Debug: multiotpmschap: Client is using MS-CHAPv1 with NT-Password (3) Sun Feb 2 02:19:02 2020: ERROR: multiotpmschap: FAILED: No NT/LM-Password. Cannot perform authentication (3) Sun Feb 2 02:19:02 2020: ERROR: multiotpmschap: MS-CHAP2-Response is incorrect (3) Sun Feb 2 02:19:02 2020: Debug: [multiotpmschap] = reject (3) Sun Feb 2 02:19:02 2020: Debug: } # Auth-Type mschap = reject (3) Sun Feb 2 02:19:02 2020: Debug: Failed to authenticate the user Thanks :) ________________________________________________________________ Richard Green IT Solution Design & Delivery | UNSW Sydney | NSW 2052 richard.green@unsw.edu.au | +61(2) 9385 8738 ABN 57 195 873 179 | CRICOS Provider Code 00098G