Hello, FreeRADIUS has 2 mechanisms - authorization and authentication.
Let me explain how this mechanism SHOULD work together in few examples. If you store passwords in LDAP, you should retrieve this passwords during AUTHORIZATION and add this passwords to configuration items. That is, LDAP module SHOULD have authorize() function. If LDAP stores cleartext passwords authorize() should add PW_PASSWORD to request->config_items and use native 'Local' authentication. If you have NTLM encoded passwords in LDAP (like in case of Microsoft) you should add PW_LM_PASSWORD/PW_NT_PASSWORD and use 'mschap' authentication (mschap already support this attributes in current EXP CVS branch). that is: authorize { ldap -> retrieves PW_LM_PASSWORD/PW_NT_PASSWORD and sets Auth-Type to MS-CHAP } authenticate { mschap -> authenticates user with PW_LM_PASSWORD/PW_NT_PASSWORD } This authentication will support PAP, MS-CHAP and MS-CHAPv2 (but not CHAP, because we do not have cleartext password) In case you store cleartext password in LDAP you will be able to use PAP, CHAP, MS-CHAP and MS-CHAPv2 by doing: authorize { ldap -> retrieves PW_PASSWORD and sets Auth-Type to Local mschap -> builds PW_LM_PASSWORD/PW_NT_PASSWORD from PW_PASSWORD and resets Auth-Type to MS-CHAP if NAS requests MS-CHAP or MS-CHAP v2 } authenticate { local -> authenticates user with PW_PASSWORD if case of PAP or CHAP mschap -> authenticates user with PW_LM_PASSWORD/PW_NT_PASSWORD in case of MS-CHAP or MS-CHAP v2 } If you use LDAP to authenticate user (that is to connect to LDAP dn with credentials given by NAS) like: TZ> 1. Look up the complete dn of the given uid TZ> 2. Try an ldap-connect using the dn and the passwort given. Only in this case you should use LDAP for authentication and have authenticate() function. In this case there is no way to support another authentication schemas, like CHAP or MS-CHAP because you have no way to store cleartext (or NT/LM encoded, crypt'ed, etc) password. You will only be able to do a cleartext (PAP) authentication. In both cases I see no reasons for doing any password prefixes. P.S. For a while it looks only rlm_mschap to support this authorize/authenticate philosophy, but I believe other modules (like rlm_unix) will be patched to do both authorization (to create Crypt-Password attribute from cleartext password or from passwd file) and authentication (to authenticate via crypt'ed password retrieved from another module during authorization). -- ~/ZARAZA Машина оказалась способной к единственному действию, а именно умножению 2x2, да и то при этом ошибаясь. (Лем) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html