Error 2FA - AD password and external OTP via RADIUS proxy

Alan DeKok aland at
Wed Mar 11 21:42:31 CET 2020

On Mar 11, 2020, at 10:31 AM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users at> wrote:
> In freeradius logs, this is ldap: Bind credentials incorrect: Invalid credentials): [testuser/testpasswd2217287
> First the request for a normal password and then the otp  2217287
> What's wrong ?

  The user entered the password followed by the OTP, all as one field.  Then, you configured FreeRADIUS to send all that to LDAP.

  The general practice is to put the 6-digit OTP first, then the password.  Then, split them via something like this:

	if (User-Password =~ /^(......)(.*)$/)  {
		update request {
			User-Password := "%{2}"
			OTP-Password := "%{1}"

  You will need to edit raddb/dictionary in order to define OTP-Password.

  This lets you use User-Password as normal to connect to LDAP, and authenticate the user.

  You can then check OTP-Password however you want.

  Alan DeKok.

More information about the Freeradius-Users mailing list