Radius PAM not want authorize user using PAM

Hello Folks,

Today i bought a yubikey, it’s great working nice with radius using PAM but i found a problem. Mikrotik doesn’t want to authorize user, in every request it got error message

“pam: Attribute “User-Password” is required for authentication”

I’m using PAM authentication

Debug output from freeradius

(2) files: users: Matched entry DEFAULT at line 185
(2)     [files] = ok
(2)     [expiration] = noop
(2)     [logintime] = noop
(2)   } # authorize = ok
(2) Found Auth-Type = pam
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2)   authenticate {
(2) pam: Attribute "User-Password" is required for authentication
(2)     [pam] = invalid
(2)   } # authenticate = invalid
(2) Failed to authenticate the user
(2) Using Post-Auth-Type Reject
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2)   Post-Auth-Type REJECT {
(2) attr_filter.access_reject: EXPAND %{User-Name}

Radius configuration at Mikrotik

/radius
add address=192.168.0.2 secret=1234567895 service=login
/user aaa
set default-group=full use-radius=yes

All FreeRADIUS integration examples we found rely on PAM which require PAP Authenticator. MikroTik uses MS-CHAP v2 which doesn’t transmit the password using reversible encryption so it is impossible to split out the Yubico OTP from the password on the RADIUS server.

We did however come up with a solution to still enabling YubiKey MFA though, steps are detailed in the following guide:

http://lists.freeradius.org/pipermail/freeradius-users/2021-February/099521.html