Freeradius and 2 Factor Authentication

Arran Cudbard-Bell a.cudbardb at
Thu Jun 2 22:53:57 CEST 2016

> On Jun 2, 2016, at 4:33 PM, Cornelius K├Âlbel <cornelius.koelbel at> wrote:
> Am Donnerstag, den 02.06.2016, 15:58 -0400 schrieb Arran Cudbard-Bell:
>>> We actually have a commercial OTP solution via SafeNet, but it's a bit long in the tooth and also only supports PAP.  However, I opened a ticket today and their newer versions actually support MSChapv2 so that might be the way to go if converting our token licenses isn't too ridiculous in cost.
>> Anything that'll give you the plaintext password from the OTP server back will work with MSCHAPv2.
> The OTP server could return the plain text OTP password. But this is
> only the 2nd factor. It will not return the LDAP user password, which is
> the 1st factor.

Yeah, if you're using an LDAP server that doesn't give you access to the plaintext password, and if you're set on using passwords.

Certificates do the job just as well.  Especially if they're encrypted.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the Freeradius-Users mailing list