Freeradius and 2 Factor Authentication

Arran Cudbard-Bell a.cudbardb at
Thu Jun 2 22:57:57 CEST 2016

> On Jun 2, 2016, at 4:53 PM, Arran Cudbard-Bell <a.cudbardb at> wrote:
>> On Jun 2, 2016, at 4:33 PM, Cornelius K├Âlbel <cornelius.koelbel at> wrote:
>> Am Donnerstag, den 02.06.2016, 15:58 -0400 schrieb Arran Cudbard-Bell:
>>>> We actually have a commercial OTP solution via SafeNet, but it's a bit long in the tooth and also only supports PAP.  However, I opened a ticket today and their newer versions actually support MSChapv2 so that might be the way to go if converting our token licenses isn't too ridiculous in cost.
>>> Anything that'll give you the plaintext password from the OTP server back will work with MSCHAPv2.
>> The OTP server could return the plain text OTP password. But this is
>> only the 2nd factor. It will not return the LDAP user password, which is
>> the 1st factor.
> Yeah, if you're using an LDAP server that doesn't give you access to the plaintext password, and if you're set on using passwords.
> Certificates do the job just as well.  Especially if they're encrypted.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the Freeradius-Users mailing list