Problem with ip pools
Hi, I'm using ip pools to manage my client ips from the radius side. Here's my conf: * users file : DEFAULT Service-Type == Framed-User, Pool-Name := main_pool Framed-Protocol = PPP, Framed-MTU = 576 * radiusd.conf file: ippool main_pool { range-start = 192.168.52.2 range-stop = 192.168.52.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex } Everything is working well for some days then my clients could not get anymore ips from the radius. I've found a way to correct this by deletinf the db.ip* files and restarting the radius but this is not *clean*. Is there a way to dump the content of the ippool database ? I want to understand how ips are freed from the pool because I think that there's a problem when a client disconnects. It seems that ips stay in the pool as used even if the client has disconnected. Thanks in advance for your help. Regargs, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with ip pools
Hi, The main_pool line in the accounting section of the radiusd.conf file was commented ... Maybe that was my mistake. Ok for the rlm_ippool_tool I'm gonna use it to see if my modification of radiusd.conf is working or not. I was not using accounting at all so I forgot about it but it seems that I will have to configure it well to get the ip_pool working. Thank for answering. Best regards, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Kostas Kalevras Envoy : jeudi 31 mars 2005 13:47 : freeradius-users@lists.freeradius.org Objet : Re: Problem with ip pools On Thu, 31 Mar 2005, Sbastien Cantos wrote: Hi, I'm using ip pools to manage my client ips from the radius side. Here's my conf: * users file : DEFAULT Service-Type == Framed-User, Pool-Name := main_pool Framed-Protocol = PPP, Framed-MTU = 576 * radiusd.conf file: ippool main_pool { range-start = 192.168.52.2 range-stop = 192.168.52.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex } Everything is working well for some days then my clients could not get anymore ips from the radius. I've found a way to correct this by deletinf the db.ip* files and restarting the radius but this is not *clean*. Is there a way to dump the content of the ippool database ? I want to understand how ips are freed from the pool because I think that there's a problem when a client disconnects. It seems that ips stay in the pool as used even if the client has disconnected. Thanks in advance for your help. There's rlm_ippool_tool which might help you in src/modules/rlm_ippool. rlm_ippool depends on accounting working ok. If it is not working then you might get into problems. The module *does* have a few more methods of finding out stale records and deleting them: 1. maximum-timeout directive. You can set that to the maximum session time expected in your network (if that can be calculated) in order to make sure no ip remains active for more time than maximum-timeout. 2. Each time an authentication request is performed from a nas ip/port pair which has already an ip allocated that ip is cleaned up. That means that as long as your ip pool is as large as your nas ports number it will be difficult to run out of available ip's. My suggestion is to make sure you don't run an old version of the module (older version did have problems) and to take a closer look at how well your accounting works. Regargs, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with ip pools
Still no luck. I made a connection, the disconnect but the IP it is always in the databases. I would like to understand if accounting is working well. Only thing I know is that files in [EMAIL PROTECTED]:/usr/local/var/log/radius/radacct/192.168.10.8 are being fullfiled. (192.168.10.8 is a cisco router which acts as a NAS forwarding NAS requests). [EMAIL PROTECTED]:/usr/local/var/log/radius/radacct/192.168.10.8# cat auth-detail-20050331 Packet-Type = Access-Request Thu Mar 31 14:31:55 2005 Framed-Protocol = PPP User-Name = masqued CHAP-Password = masqued NAS-Port-Type = Virtual NAS-Port = 135 Calling-Station-Id = masqued Called-Station-Id = masqued Service-Type = Framed-User NAS-IP-Address = 192.168.10.8 Client-IP-Address = 192.168.10.8 CHAP-Challenge = masqued [EMAIL PROTECTED]:/usr/local/var/log/radius/radacct/192.168.10.8# cat reply-detail-20050331 Packet-Type = Access-Accept Thu Mar 31 14:31:55 2005 Framed-Protocol = PPP Framed-MTU = 576 Framed-IP-Address = 192.168.52.79 Framed-IP-Netmask = 255.255.255.0 Does this means that accounting is working ? Regards, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Sébastien Cantos Envoyé : jeudi 31 mars 2005 14:26 À : freeradius-users@lists.freeradius.org Objet : RE: Problem with ip pools Hi, The main_pool line in the accounting section of the radiusd.conf file was commented ... Maybe that was my mistake. Ok for the rlm_ippool_tool I'm gonna use it to see if my modification of radiusd.conf is working or not. I was not using accounting at all so I forgot about it but it seems that I will have to configure it well to get the ip_pool working. Thank for answering. Best regards, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Kostas Kalevras Envoyé : jeudi 31 mars 2005 13:47 À : freeradius-users@lists.freeradius.org Objet : Re: Problem with ip pools On Thu, 31 Mar 2005, S?bastien Cantos wrote: Hi, I'm using ip pools to manage my client ips from the radius side. Here's my conf: * users file : DEFAULT Service-Type == Framed-User, Pool-Name := main_pool Framed-Protocol = PPP, Framed-MTU = 576 * radiusd.conf file: ippool main_pool { range-start = 192.168.52.2 range-stop = 192.168.52.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex } Everything is working well for some days then my clients could not get anymore ips from the radius. I've found a way to correct this by deletinf the db.ip* files and restarting the radius but this is not *clean*. Is there a way to dump the content of the ippool database ? I want to understand how ips are freed from the pool because I think that there's a problem when a client disconnects. It seems that ips stay in the pool as used even if the client has disconnected. Thanks in advance for your help. There's rlm_ippool_tool which might help you in src/modules/rlm_ippool. rlm_ippool depends on accounting working ok. If it is not working then you might get into problems. The module *does* have a few more methods of finding out stale records and deleting them: 1. maximum-timeout directive. You can set that to the maximum session time expected in your network (if that can be calculated) in order to make sure no ip remains active for more time than maximum-timeout. 2. Each time an authentication request is performed from a nas ip/port pair which has already an ip allocated that ip is cleaned up. That means that as long as your ip pool is as large as your nas ports number it will be difficult to run out of available ip's. My suggestion is to make sure you don't run an old version of the module (older version did have problems) and to take a closer look at how well your accounting works. Regargs, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_ldap - Attribute User-Password is required for authentication
I had the same problem a few weeks ago. In fact the ldap wasn't returning the user-password so it wasn't working. Chack with ldapsearch to make the querry directly to the ldap as if you were the radius and I think that you will see that the userpassword is not returned. rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with Make sure that the user/password in radiusd.conf for the user that will make the search in the ldap is valid. I think that the radius is binding anonymously on the ldap so it can read passwords. Another thing to note is that you have to store passwords in clear text into the ldap. ldap { server = myserver.mydomain.com identity = cn=some_user_that_can_read_passwords_on_the_ldap password = password_for_this_user Regards, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de guest01 Envoyé : mardi 8 mars 2005 15:44 À : freeradius-users@lists.freeradius.org Objet : Re: rlm_ldap - Attribute User-Password is required for authentication hm, radius is very strange Can anyone please help me? this is the logfile output after testing with radexample: rad_recv: Access-Request packet from host 127.0.0.1:1025, id=40, length=66 User-Name = testuser User-Password = 123456 Service-Type = Authenticate-Only NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '((objectclass=gibraltarUser)(uid=testuser))' radius_xlat: 'ou=users,dc=gibraltar,dc=local' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with filter ((objectclass=gibraltarUser)(uid=testuser)) rlm_ldap: checking if remote access for testuser is allowed by isVPNUser rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by testuser with password 123456 rlm_ldap: user DN: uid=testuser,ou=users,dc=gibraltar,dc=local rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=testuser,ou=users,dc=gibraltar,dc=local/123456 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user testuser authenticated succesfully modcall[authenticate]: module ldap returns ok for request 0 modcall: group Auth-Type returns ok for request 0 Sending Access-Accept of id 40 to 127.0.0.1:1025 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 40 with timestamp 422db560 Nothing to do. Sleeping until we see a request. and this is the output after trying to connect via pptpd with winxp prof. Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:1025, id=41, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = testuser NAS-IP-Address = 66.150.161.140 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 users: Matched DEFAULT at 183 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '((objectclass=gibraltarUser)(uid=testuser))' radius_xlat: 'ou=users,dc=gibraltar,dc=local' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389
RE: rlm_ldap - Attribute User-Password is required for authentication
So maybe it's a NAS problem. Are you sure that the NAS is sending the userpassword in the request ? -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de guest01 Envoyé : mardi 8 mars 2005 16:16 À : freeradius-users@lists.freeradius.org Objet : Re: rlm_ldap - Attribute User-Password is required for authentication Sébastien Cantos wrote: I had the same problem a few weeks ago. In fact the ldap wasn't returning the user-password so it wasn't working. Chack with ldapsearch to make the querry directly to the ldap as if you were the radius and I think that you will see that the userpassword is not returned. Thxs for your help, but it still doesn't work :-( Ok, I store the passwords in cleartext (just base64encoded), ldapsearch works: ldapsearch -x -D cn=Manager,dc=gibraltar,dc=local -w secret ((objectclass=gibraltaruser)(uid=testuser)) userPassword # extended LDIF # # LDAPv3 # base with scope sub # filter: ((objectclass=gibraltaruser)(uid=testuser)) # requesting: userPassword # # testuser, users, gibraltar.local dn: uid=testuser,ou=users,dc=gibraltar,dc=local userPassword:: MTIzNDU2 # search result search: 2 result: 0 Success Make sure that the user/password in radiusd.conf for the user that will make the search in the ldap is valid. I think that the radius is binding anonymously on the ldap so it can read passwords. Another thing to note is that you have to store passwords in clear text into the ldap. ldap { server = myserver.mydomain.com identity = cn=some_user_that_can_read_passwords_on_the_ldap password = password_for_this_user hm, my LDAP is still in testing, therefor everyone is allowed everthing... But I also tried it with the rootdn, but no difference. But I don't think thats the problem, because the authorization-part works fine, user testuser authorized to use remote access, just that damned authentication part ... rad_recv: Access-Request packet from host 127.0.0.1:1025, id=55, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = testuser NAS-IP-Address = 69.25.27.173 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 users: Matched DEFAULT at 153 users: Matched DEFAULT at 172 users: Matched DEFAULT at 185 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '((objectclass=gibraltarUser)(uid=testuser))' radius_xlat: 'ou=users,dc=gibraltar,dc=local' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=gibraltar,dc=local/secret to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with filter ((objectclass=gibraltarUser)(uid=testuser)) rlm_ldap: checking if remote access for testuser is allowed by isVPNUser rlm_ldap: performing search in uid=testuser,ou=radius,dc=gibraltar,dc=local, with filter (objectclass=radiusprofile) rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP op=21 rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. modcall[authenticate]: module ldap returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 55 to 127.0.0.1:1025 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 55 with timestamp 422dc076 Nothing to do. Sleeping until we see a request. Any other ideas? How did you solve your problem? regards peda - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list
RE: Ip pool management
Yes you are right. Luaching the server in debug mode told me that Pool-name is a check item and that it should be on the first line. The problem is that it is complaining: rlm_ippool: could not find Pool-Name attribute For my *newbie* understanding, if the Pool-name is a check item it should be in the request I get from my clients. I'm true ? If yes, I can't modify the I got from the NAS (it's not mine). So is there a way to use ippool without this check item ? Thanks for your help. Regards, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Alan DeKok Envoyé : mercredi 2 mars 2005 18:50 À : freeradius-users@lists.freeradius.org Objet : Re: Ip pool management Sébastien Cantos [EMAIL PROTECTED] wrote: I've followed instructions in radiusd.conf : My users file looks like this: DEFAULT Service-Type == Framed-User Pool-Name := osiris-pool, You did not follow the instructions in radiusd.conf. The Pool-Name attribute should go on the first line. If you had run the server in debugging mode, the server would have told you this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ip pool management
Ok it works with : DEFAULT Service-Type == Framed-User, Pool-Name := main_pool Framed-Protocol = PPP, Framed-MTU = 576 Thanks a lot for your help. Kind Regards, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Alan DeKok Envoyé : jeudi 3 mars 2005 17:41 À : freeradius-users@lists.freeradius.org Objet : Re: Ip pool management Sébastien Cantos [EMAIL PROTECTED] wrote: The problem is that it is complaining: rlm_ippool: could not find Pool-Name attribute The *module* is printing that message because the Pool-Name attribute is not found in the list of check items. For my *newbie* understanding, if the Pool-name is a check item it should be in the request I get from my clients. No. Nothing in the server documentation would lead you to that conclusion. The documentation would lead you to the *correct* conclusion, which is that the check items are not the request items. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ip pool management
Hi, I've followed instructions in radiusd.conf : My users file looks like this: DEFAULT Service-Type == Framed-User Pool-Name := osiris-pool, Framed-Protocol = PPP, Framed-MTU = 576 And in my radiusd.conf I've: post-auth { # Get an address from the IP Pool. # main_pool osiris-pool ... } modules { ... ippool osiris-pool { range-start = 192.168.52.1 range-stop = 192.168.52.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex } } I get this error : rlm_ippool: could not find Pool-Name attribute And my client doesn't get back the IP. I surely miss something Could someone help me please ? Regards, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Alan DeKok Envoyé : mardi 1 mars 2005 18:50 À : freeradius-users@lists.freeradius.org Objet : Re: Ip pool management Sébastien Cantos [EMAIL PROTECTED] wrote: I would like to configure my radius to give the first available IP in the subnet 192.168.52.0/24 without carrying about the NAS modem number. Is there a way to configure this ? Read radiusd.conf. Look for ippool Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ip pool management
Hi, I've something like this in my user file: DEFAULT Service-Type == Framed-User Framed-Protocol = PPP, Framed-MTU = 576, Framed-IP-Address = 192.168.52.1+, Framed-IP-Netmask = 255.255.255.0 I've noticed that the IP on the client side depends on the NAS modem number. For example if modem is number 1 the IP is 192.168.52.1, is modem is number 10, ip is 192.168.52.10. I would like to configure my radius to give the first available IP in the subnet 192.168.52.0/24 without carrying about the NAS modem number. Is there a way to configure this ? Regards, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius with LDAP
Rlm_ldap needs some openldap libraries to compile well on solaris. One solution is to install OpenLDAP even if you use Sun LDAP. This way the module will compile. Regards, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Michael Mitchell Envoyé : vendredi 18 février 2005 13:30 À : freeradius-users@lists.freeradius.org Objet : Re: FreeRadius with LDAP dbx is your friend... But check to see that the ldap module actually built... unless you've got things installed in the default places, it can take a little work to get the ldap module to compile on Solaris... José Berenguer wrote: Hello! We are trying to authenticate the last version of freeradius (1.0.1) in Solaris 9 against LDAP and we are always getting the same error when we try to start radius with the command: /usr/local/sbin/radiusd -S -X You can view the radiusd.conf and users files, and the error we get is this: Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Segmentation Fault Anyone can help us? Thanks very much! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP + CHAP problem
Hello, I'm trying to figure out how to make freeradius work with LDAP and CHAP authentification. My user file looks like this: DEFAULT Service-Type = Framed-User Framed-Protocol = PPP, Framed-IP-Address = 192.168.10.100+, Framed-IP-Netmask = 255.255.255.0 And in my radiusd.conf I've something like this: modules { ... chap { authtype = CHAP } ldap { server = myserver basedn = ou=devices,o=group,dc=toto,dc=com filter = (cn=%u) ldap_connections_number = 5 password_header = {clear} password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 } } authorize { chap ldap files } authenticate { Auth-Type CHAP { chap } Auth-Type LDAP { ldap } } Everithing is working well with the radtest utility whci sends User-Password Attribute, but when I try to authentificate a client that sends Chap-password I've the following output: rlm_ldap: user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 users: Matched DEFAULT at 4 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type CHAP auth: type CHAP Processing the authenticate section of radiusd.conf modcall: entering group authtype for request 0 rlm_chap: login attempt by with CHAP password rlm_chap: Could not find clear text password for user modcall[authenticate]: module chap returns invalid for request 0 modcall: group authtype returns invalid for request 0 auth: Failed to validate the user. Login incorrect (rlm_chap: Clear text password not available): [/CHAP-Password] (from client radiusFT port 99 cli 490760808) I've read a lot of posts and FAQs vut didn't find any solution. Can anyone help me in solving this problem please ? Thanks in advances Best regards, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html