Hello I have two kind of remote access on cisco asa, first ovia ssl vpn and second via l2tp/ipsec (for mobile phones with androids). Both access are made on the same cisco and both autorizen on the same freeradius server with motp ( mobile one time password). Access via ssl vpn works correct but access via l2tp/ipsec not. I see that there is some problem with auth. For l2tp/ipsec i set authorization chap ( i disabled mschap v1 and v2, they didn't work also) Thank You for any help This is debug from l2tp/ipsec connection: rad_recv: Access-Request packet from host 10.162.1.1 port 1025, id=240, length=134 User-Name = "tom3" CHAP-Password = 0x01972f0886c4e5e2f30e32053dbcf67504 NAS-Port = 5357568 Service-Type = Framed-User Framed-Protocol = PPP CHAP-Challenge = 0x119f01e96a9a794879f770373a39827c7463bb1cfd4c9bf6ebeac4fb1ac47b3b8b1861bee84b0273d5 Tunnel-Client-Endpoint:0 = "83.6.6.66" NAS-IP-Address = 10.162.1.1 NAS-Port-Type = Virtual +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok [suffix] No '@' in User-Name = "tom3", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [files] users: Matched entry DEFAULT at line 2 [files] expand: /usr/local/bin/otp4freeradius.sh '%{User-Name}' '%{User-Password}' '%{reply:Secret}' '%{reply:Pin}' '%{reply:Offset}' -> /usr/local/bin/otp4freeradius.sh 'tom3' '' '' '' '' [files] users: Matched entry tom3 at line 5 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "tom3" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Login incorrect (rlm_chap: Clear text password not available): [tom3/<CHAP-Password>] (from client ciscoasa port 5357568) /raddb/users: DEFAULT Auth-Type = External Exec-Program-Wait = "/usr/local/bin/otp4freeradius.sh '%{User-Name}' '%{User-Password}' '%{reply:Secret}' '%{reply:Pin}' '%{reply:Offset}'", Fall-Through = Yes tom3 Secret = f11111xxxx1111a, PIN = yyyy, Offset = 0, CVPN3000-IETF-Radius-Class := "press" cat radiusd.conf ... modules { exec MOTP { wait = yes program = "/usr/local/bin/otp4freeradius.sh %{User-Name} %{User-Password} %{reply:Secret} %{reply:Pin} %{reply:Offset}" input_pairs = request output_pairs = reply } $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf } instantiate { exec expr expiration logintime } $INCLUDE policy.conf $INCLUDE sites-enabled/ cat raddb/sites-enabled/default authorize { preprocess chap mschap suffix files expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type External { MOTP } unix } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp attr_filter.accounting_response } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { } and here is debug from working connection for sslvpn: rad_recv: Access-Request packet from host 10.162.1.1 port 1025, id=239, length=136 User-Name = "tom3" User-Password = "bd8d9a" NAS-Port = 5353472 Called-Station-Id = "7.24.64.182" Calling-Station-Id = "9.72.8.13" NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = "9.72.8.13" NAS-IP-Address = 10.162.1.1 Cisco-AVPair = "ip:source-ip=9.72.8.13" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [suffix] No '@' in User-Name = "tom3", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [files] users: Matched entry DEFAULT at line 2 [files] expand: /usr/local/bin/otp4freeradius.sh '%{User-Name}' '%{User-Password}' '%{reply:Secret}' '%{reply:Pin}' '%{reply:Offset}' -> /usr/local/bin/otp4freeradius.sh 'tom3' 'bd8d9a' '' '' '' [files] users: Matched entry tom3 at line 5 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = External +- entering group External {...} [MOTP] expand: %{User-Name} -> tom3 [MOTP] expand: %{User-Password} -> bd8d9a [MOTP] expand: %{reply:Secret} -> f11111111xx111a [MOTP] expand: %{reply:Pin} -> xyzw [MOTP] expand: %{reply:Offset} -> 0 Exec-Program output: ACCEPT czas:2011-12-01 21:27:32 Exec-Program-Wait: plaintext: ACCEPT czas:2011-12-01 21:27:32 Exec-Program: returned: 0 ++[MOTP] returns ok Login OK: [tom3/bd8d9a] (from client ciscoasa port 5353472 cli 9.72.8.13) WARNING: Empty section. Using default return values. Sending Access-Accept of id 239 to 10.162.1.1 port 1025 CVPN3000-IETF-Radius-Class := "press" Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 239 with timestamp +308 Ready to process requests.