I'm trying to enable 2FA with RADIUS and Super Gluu RADIUS authentication works when I set `radius.auth.scheme = onestep`, bit with 2FA (`radius.auth.scheme = twostep`) it's completely unsolvable for me One step authentication (it works) ``` colora@ubuntu:~$ radtest jsmith 123456 gluu 1 admin138 Sent Access-Request Id 121 from 0.0.0.0:49636 to 172.17.18.111:1812 length 76 User-Name = "jsmith" User-Password = "123456" NAS-IP-Address = 127.0.1.1 NAS-Port = 1 Message-Authenticator = 0x00 Cleartext-Password = "123456" Received Access-Accept Id 121 from 172.17.18.111:1812 to 172.17.17.105:49636 length 20 ``` 2FA (it doesn't work): ``` colora@ubuntu:~$ radtest jsmith 123456 gluu 1 admin138 Sent Access-Request Id 214 from 0.0.0.0:55292 to 172.17.18.111:1812 length 76 User-Name = "jsmith" User-Password = "123456" NAS-IP-Address = 127.0.1.1 NAS-Port = 1 Message-Authenticator = 0x00 Cleartext-Password = "123456" Received Access-Reject Id 214 from 172.17.18.111:1812 to 172.17.17.105:55292 length 20 (0) -: Expected Access-Accept got Access-Reject ``` Logs: ``` [DEBUG] 2021-03-25 07:39:07.639 [Radius Auth Listener] RadiusServer - receive buffer size = 106496 [DEBUG] 2021-03-25 07:39:07.642 [Radius Auth Listener] DurationUtil - LDAP operation: search, duration: PT0.002208S, dn: ou=radius_clients,o=gluu, filter: (&(&(objectClass=oxRadiusClient))(oxRadiusClientIpAddress=*)), scope: SUB, batchOperationWraper: org.gluu.persist.ldap.impl.LdapBatchOperationWraper@73d7555, start: 0, searchLimit: 0, count: 0, controls: null, attributes: [oxRadiusClientSortPriority, oxRadiusClientIpAddress, oxRadiusClientSecret, inum, oxRadiusClientName] [DEBUG] 2021-03-25 07:39:07.643 [Radius Auth Listener] BaseEntryManager - LdapProperty: inum, AttributeName: inum, AttributeValue: [300b055d-29a4-443a-acc5-e8eaf357447b] [DEBUG] 2021-03-25 07:39:07.644 [Radius Auth Listener] BaseEntryManager - LdapProperty: ipAddress, AttributeName: oxRadiusClientIpAddress, AttributeValue: [172.17.18.56] [DEBUG] 2021-03-25 07:39:07.644 [Radius Auth Listener] BaseEntryManager - LdapProperty: name, AttributeName: oxRadiusClientName, AttributeValue: [OPNsense] [DEBUG] 2021-03-25 07:39:07.644 [Radius Auth Listener] BaseEntryManager - LdapProperty: priority, AttributeName: oxRadiusClientSortPriority, AttributeValue: [1] [DEBUG] 2021-03-25 07:39:07.644 [Radius Auth Listener] BaseEntryManager - LdapProperty: secret, AttributeName: oxRadiusClientSecret, AttributeValue: [Ehdt/KvJAbitqcYS6X6lTw==] [DEBUG] 2021-03-25 07:39:07.644 [Radius Auth Listener] BaseEntryManager - LdapProperty: inum, AttributeName: inum, AttributeValue: [83e4a1ed-81d1-4a31-b74e-a538c530f86c] [DEBUG] 2021-03-25 07:39:07.645 [Radius Auth Listener] BaseEntryManager - LdapProperty: ipAddress, AttributeName: oxRadiusClientIpAddress, AttributeValue: [172.17.0.0/16] [DEBUG] 2021-03-25 07:39:07.645 [Radius Auth Listener] BaseEntryManager - LdapProperty: name, AttributeName: oxRadiusClientName, AttributeValue: [nadzya] [DEBUG] 2021-03-25 07:39:07.645 [Radius Auth Listener] BaseEntryManager - LdapProperty: priority, AttributeName: oxRadiusClientSortPriority, AttributeValue: [1] [DEBUG] 2021-03-25 07:39:07.645 [Radius Auth Listener] BaseEntryManager - LdapProperty: secret, AttributeName: oxRadiusClientSecret, AttributeValue: [5r7Qxc5h6Jq8SeJiyoSNyg==] [INFO ] 2021-03-25 07:39:07.645 [Radius Auth Listener] GluuRadiusServer - Client ip: 172.17.17.105 [INFO ] 2021-03-25 07:39:07.646 [Radius Auth Listener] GluuRadiusServer - Client ip: 172.17.17.105 [DEBUG] 2021-03-25 07:39:07.646 [Radius Auth Listener] CidrSubnetMatcher - Match found for client with ip 172.17.17.105 [INFO ] 2021-03-25 07:39:07.646 [Radius Auth Listener] RadiusServer - received packet from /172.17.17.105:43043 on local address 0.0.0.0/0.0.0.0:1812: Access-Request, ID 170 User-Name: jsmith User-Password: 0x313233343536 NAS-IP-Address: 127.0.1.1 NAS-Port: 1 Message-Authenticator: 0x91ffeee24158986de35d2a43d7df8db6 [DEBUG] 2021-03-25 07:39:07.648 [Radius Auth Listener] SuperGluuAccessRequestFilter - Performing two-step authentication for user {jsmith} [DEBUG] 2021-03-25 07:39:07.804 [Radius Auth Listener] RequestAddCookies - CookieSpec selected: default [DEBUG] 2021-03-25 07:39:07.804 [Radius Auth Listener] RequestAuthCache - Auth cache not set in the context [DEBUG] 2021-03-25 07:39:07.804 [Radius Auth Listener] PoolingHttpClientConnectionManager - Connection request: [route: {s}->https://gluu.solidex.minsk.by:443][total kept alive: 1; route allocated: 1 of 20; total allocated: 1 of 100] [DEBUG] 2021-03-25 07:39:07.815 [Radius Auth Listener] CPool - Connection [id:0][route:{s}->https://gluu.solidex.minsk.by:443][state:null] expired @ Thu Mar 25 07:33:38 UTC 2021 [DEBUG] 2021-03-25 07:39:07.815 [Radius Auth Listener] DefaultManagedHttpClientConnection - http-outgoing-0: Close connection [DEBUG] 2021-03-25 07:39:07.816 [Radius Auth Listener] PoolingHttpClientConnectionManager - Connection leased: [id: 1][route: {s}->https://gluu.solidex.minsk.by:443][total kept alive: 0; route allocated: 1 of 20; total allocated: 1 of 100] [DEBUG] 2021-03-25 07:39:07.816 [Radius Auth Listener] MainClientExec - Opening connection {s}->https://gluu.solidex.minsk.by:443 [DEBUG] 2021-03-25 07:39:07.816 [Radius Auth Listener] DefaultHttpClientConnectionOperator - Connecting to gluu.solidex.minsk.by/172.17.18.111:443 [DEBUG] 2021-03-25 07:39:07.816 [Radius Auth Listener] SSLConnectionSocketFactory - Connecting socket to gluu.solidex.minsk.by/172.17.18.111:443 with timeout 0 [DEBUG] 2021-03-25 07:39:07.817 [Radius Auth Listener] SSLConnectionSocketFactory - Enabled protocols: [TLSv1.2, TLSv1.1, TLSv1] [DEBUG] 2021-03-25 07:39:07.817 [Radius Auth Listener] SSLConnectionSocketFactory - Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] [DEBUG] 2021-03-25 07:39:07.817 [Radius Auth Listener] SSLConnectionSocketFactory - Starting handshake [DEBUG] 2021-03-25 07:39:07.831 [Radius Auth Listener] SSLConnectionSocketFactory - Secure session established [DEBUG] 2021-03-25 07:39:07.831 [Radius Auth Listener] SSLConnectionSocketFactory - negotiated protocol: TLSv1.2 [DEBUG] 2021-03-25 07:39:07.831 [Radius Auth Listener] SSLConnectionSocketFactory - negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [DEBUG] 2021-03-25 07:39:07.831 [Radius Auth Listener] SSLConnectionSocketFactory - peer principal: EMAILADDRESS=mail@mail.com, CN=gluu.solidex.minsk.by, O=Solidex, L=Minsk, ST=CN, C=CN [DEBUG] 2021-03-25 07:39:07.831 [Radius Auth Listener] SSLConnectionSocketFactory - issuer principal: EMAILADDRESS=mail@mail.com, CN=gluu.solidex.minsk.by, O=Solidex, L=Minsk, ST=CN, C=CN [DEBUG] 2021-03-25 07:39:07.831 [Radius Auth Listener] DefaultHttpClientConnectionOperator - Connection established 172.17.18.111:53308<->172.17.18.111:443 [DEBUG] 2021-03-25 07:39:07.831 [Radius Auth Listener] MainClientExec - Executing request POST /oxauth/restv1/token HTTP/1.1 [DEBUG] 2021-03-25 07:39:07.831 [Radius Auth Listener] MainClientExec - Target auth state: UNCHALLENGED [DEBUG] 2021-03-25 07:39:07.832 [Radius Auth Listener] MainClientExec - Proxy auth state: UNCHALLENGED [DEBUG] 2021-03-25 07:39:07.832 [Radius Auth Listener] headers - http-outgoing-1 >> POST /oxauth/restv1/token HTTP/1.1 [DEBUG] 2021-03-25 07:39:07.832 [Radius Auth Listener] headers - http-outgoing-1 >> Content-Type: application/x-www-form-urlencoded [DEBUG] 2021-03-25 07:39:07.832 [Radius Auth Listener] headers - http-outgoing-1 >> Content-Length: 1111 [DEBUG] 2021-03-25 07:39:07.832 [Radius Auth Listener] headers - http-outgoing-1 >> Host: gluu.solidex.minsk.by [DEBUG] 2021-03-25 07:39:07.832 [Radius Auth Listener] headers - http-outgoing-1 >> Connection: Keep-Alive [DEBUG] 2021-03-25 07:39:07.832 [Radius Auth Listener] headers - http-outgoing-1 >> User-Agent: Apache-HttpClient/4.5.3 (Java/11.0.8) [DEBUG] 2021-03-25 07:39:07.832 [Radius Auth Listener] headers - http-outgoing-1 >> Accept-Encoding: gzip,deflate [DEBUG] 2021-03-25 07:39:07.833 [Radius Auth Listener] wire - http-outgoing-1 >> "POST /oxauth/restv1/token HTTP/1.1[\r][\n]" [DEBUG] 2021-03-25 07:39:07.833 [Radius Auth Listener] wire - http-outgoing-1 >> "Content-Type: application/x-www-form-urlencoded[\r][\n]" [DEBUG] 2021-03-25 07:39:07.833 [Radius Auth Listener] wire - http-outgoing-1 >> "Content-Length: 1111[\r][\n]" [DEBUG] 2021-03-25 07:39:07.833 [Radius Auth Listener] wire - http-outgoing-1 >> "Host: gluu.solidex.minsk.by[\r][\n]" [DEBUG] 2021-03-25 07:39:07.833 [Radius Auth Listener] wire - http-outgoing-1 >> "Connection: Keep-Alive[\r][\n]" [DEBUG] 2021-03-25 07:39:07.833 [Radius Auth Listener] wire - http-outgoing-1 >> "User-Agent: Apache-HttpClient/4.5.3 (Java/11.0.8)[\r][\n]" [DEBUG] 2021-03-25 07:39:07.833 [Radius Auth Listener] wire - http-outgoing-1 >> "Accept-Encoding: gzip,deflate[\r][\n]" [DEBUG] 2021-03-25 07:39:07.833 [Radius Auth Listener] wire - http-outgoing-1 >> "[\r][\n]" [DEBUG] 2021-03-25 07:39:07.833 [Radius Auth Listener] wire - http-outgoing-1 >> "__step=initiate_auth&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&__remote_ip=172.17.17.105&__password=123456&grant_type=password&scope=openid+super_gluu_ro_session&acr_values=super_gluu_ro&client_assertion=eyJraWQiOiI2MDI5OTc2MC02NjE3LTRkNTQtODU4Yy03OWU5MmUyNTA3Y2Ffc2lnX3JzNTEyIiwidHlwIjoiSldUIiwiYWxnIjoiUlM1MTIifQ.eyJzdWIiOiIxNzAxLmMzNWUwNmE4LWVkYTMtNDM2MC04YmEwLWQ1ODg0NGMzM2U2OSIsImF1ZCI6Imh0dHBzOi8vZ2x1dS5zb2xpZGV4Lm1pbnNrLmJ5L294YXV0aC9yZXN0djEvdG9rZW4iLCJpc3MiOiIxNzAxLmMzNWUwNmE4LWVkYTMtNDM2MC04YmEwLWQ1ODg0NGMzM2U2OSIsImV4cCI6MTYxNjY1ODI0NywiaWF0IjoxNjE2NjU3OTQ3LCJqdGkiOiJiNGQ2YmVmYS1hODAzLTRlYzMtYjYyMC1iNzFkNTgxOGQ4N2YifQ.DM-okzBO1shFcwEc3Jd3RyBWu5BTNQ6ZoUmHAv4NhQfz-0miyyUm1gkeJ1FFTt12XQfQwVfbjCPpWfpXQmvPHtE5F2e4HYwRzdHExBXpdqcwNooygIGYPCOg811kuNJgXG3xshmuYCK8uT9Kd1-hst0Ancg4Wu7ApsdsOb7MlOnFPkV43u6yWsdt5bvR1Pzb0cfpjSH1jErM91dSK0ZU6EK8F-xZDFCueN1WcyG2f6dfeaX8NCELouCBYhzkQLotwGGJIi4X837Eg4iHYvsDV42ubNcuK8VMsq64WxpYHMSMXkx9VjacziLgBmqyi5t7v5LbmHcFIhl0fEd0x7BHxA&__auth_scheme=twostep&client_id=1701.c35e06a8-eda3-4360-8ba0-d58844c33e69&username=jsmith" [DEBUG] 2021-03-25 07:39:08.000 [Radius Auth Listener] wire - http-outgoing-1 << "HTTP/1.1 401 Unauthorized[\r][\n]" [DEBUG] 2021-03-25 07:39:08.000 [Radius Auth Listener] wire - http-outgoing-1 << "Date: Thu, 25 Mar 2021 07:39:07 GMT[\r][\n]" [DEBUG] 2021-03-25 07:39:08.000 [Radius Auth Listener] wire - http-outgoing-1 << "Server: Apache/2.4.29 (Ubuntu)[\r][\n]" [DEBUG] 2021-03-25 07:39:08.000 [Radius Auth Listener] wire - http-outgoing-1 << "X-Xss-Protection: 1; mode=block[\r][\n]" [DEBUG] 2021-03-25 07:39:08.000 [Radius Auth Listener] wire - http-outgoing-1 << "X-Content-Type-Options: nosniff[\r][\n]" [DEBUG] 2021-03-25 07:39:08.000 [Radius Auth Listener] wire - http-outgoing-1 << "Strict-Transport-Security: max-age=31536000; includeSubDomains[\r][\n]" [DEBUG] 2021-03-25 07:39:08.000 [Radius Auth Listener] wire - http-outgoing-1 << "Cache-Control: no-store[\r][\n]" [DEBUG] 2021-03-25 07:39:08.001 [Radius Auth Listener] wire - http-outgoing-1 << "Content-Type: application/json[\r][\n]" [DEBUG] 2021-03-25 07:39:08.001 [Radius Auth Listener] wire - http-outgoing-1 << "Pragma: no-cache[\r][\n]" [DEBUG] 2021-03-25 07:39:08.001 [Radius Auth Listener] wire - http-outgoing-1 << "Content-Length: 599[\r][\n]" [DEBUG] 2021-03-25 07:39:08.001 [Radius Auth Listener] wire - http-outgoing-1 << "Keep-Alive: timeout=5, max=100[\r][\n]" [DEBUG] 2021-03-25 07:39:08.001 [Radius Auth Listener] wire - http-outgoing-1 << "Connection: Keep-Alive[\r][\n]" [DEBUG] 2021-03-25 07:39:08.001 [Radius Auth Listener] wire - http-outgoing-1 << "[\r][\n]" [DEBUG] 2021-03-25 07:39:08.001 [Radius Auth Listener] wire - http-outgoing-1 << "{[\n]" [DEBUG] 2021-03-25 07:39:08.001 [Radius Auth Listener] wire - http-outgoing-1 << " "error_description": "Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client.",[\n]" [DEBUG] 2021-03-25 07:39:08.001 [Radius Auth Listener] wire - http-outgoing-1 << " "error": "invalid_client"[\n]" [DEBUG] 2021-03-25 07:39:08.001 [Radius Auth Listener] wire - http-outgoing-1 << "}" [DEBUG] 2021-03-25 07:39:08.002 [Radius Auth Listener] headers - http-outgoing-1 << HTTP/1.1 401 Unauthorized [DEBUG] 2021-03-25 07:39:08.002 [Radius Auth Listener] headers - http-outgoing-1 << Date: Thu, 25 Mar 2021 07:39:07 GMT [DEBUG] 2021-03-25 07:39:08.002 [Radius Auth Listener] headers - http-outgoing-1 << Server: Apache/2.4.29 (Ubuntu) [DEBUG] 2021-03-25 07:39:08.002 [Radius Auth Listener] headers - http-outgoing-1 << X-Xss-Protection: 1; mode=block [DEBUG] 2021-03-25 07:39:08.002 [Radius Auth Listener] headers - http-outgoing-1 << X-Content-Type-Options: nosniff [DEBUG] 2021-03-25 07:39:08.002 [Radius Auth Listener] headers - http-outgoing-1 << Strict-Transport-Security: max-age=31536000; includeSubDomains [DEBUG] 2021-03-25 07:39:08.002 [Radius Auth Listener] headers - http-outgoing-1 << Cache-Control: no-store [DEBUG] 2021-03-25 07:39:08.002 [Radius Auth Listener] headers - http-outgoing-1 << Content-Type: application/json [DEBUG] 2021-03-25 07:39:08.002 [Radius Auth Listener] headers - http-outgoing-1 << Pragma: no-cache [DEBUG] 2021-03-25 07:39:08.002 [Radius Auth Listener] headers - http-outgoing-1 << Content-Length: 599 [DEBUG] 2021-03-25 07:39:08.002 [Radius Auth Listener] headers - http-outgoing-1 << Keep-Alive: timeout=5, max=100 [DEBUG] 2021-03-25 07:39:08.003 [Radius Auth Listener] headers - http-outgoing-1 << Connection: Keep-Alive [DEBUG] 2021-03-25 07:39:08.003 [Radius Auth Listener] MainClientExec - Connection can be kept alive for 5000 MILLISECONDS [DEBUG] 2021-03-25 07:39:08.003 [Radius Auth Listener] HttpAuthenticator - Authentication required [DEBUG] 2021-03-25 07:39:08.003 [Radius Auth Listener] HttpAuthenticator - gluu.solidex.minsk.by:443 requested authentication [DEBUG] 2021-03-25 07:39:08.003 [Radius Auth Listener] HttpAuthenticator - Response contains no authentication challenges [DEBUG] 2021-03-25 07:39:08.004 [Radius Auth Listener] i18n - Interceptor Context: org.jboss.resteasy.core.interception.ClientReaderInterceptorContext, Method : proceed [DEBUG] 2021-03-25 07:39:08.004 [Radius Auth Listener] i18n - MessageBodyReader: org.jboss.resteasy.spi.ResteasyProviderFactory$SortedKey [DEBUG] 2021-03-25 07:39:08.004 [Radius Auth Listener] i18n - MessageBodyReader: org.jboss.resteasy.plugins.providers.StringTextStar [DEBUG] 2021-03-25 07:39:08.004 [Radius Auth Listener] PoolingHttpClientConnectionManager - Connection [id: 1][route: {s}->https://gluu.solidex.minsk.by:443] can be kept alive for 5.0 seconds [DEBUG] 2021-03-25 07:39:08.004 [Radius Auth Listener] PoolingHttpClientConnectionManager - Connection released: [id: 1][route: {s}->https://gluu.solidex.minsk.by:443][total kept alive: 1; route allocated: 1 of 20; total allocated: 1 of 100] [DEBUG] 2021-03-25 07:39:08.005 [Radius Auth Listener] SuperGluuAuthClient - SuperGluu initial auth failed. Response: { "error_description": "Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client.", "error": "invalid_client" } [DEBUG] 2021-03-25 07:39:08.005 [Radius Auth Listener] SuperGluuAccessRequestFilter - Authentication failed for user {jsmith}. [INFO ] 2021-03-25 07:39:08.005 [Radius Auth Listener] RadiusServer - send response: Access-Reject, ID 170 ``` Please, share the recipe how the 2FA with RADIUS can be enabled Thank you!