<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=utf-8">
<META content="MSHTML 6.00.6000.16525" name=GENERATOR></HEAD>
<BODY style="MARGIN: 4px 4px 1px; FONT: 10pt Tahoma">
<DIV>> have you tested from a non windows box to ensure that you havent fallen foul of the usual EAP problems - as clearly noted at the top of eap.conf?<BR></DIV>
<DIV>No, I am not able to do so as i do not have an extra box's. I have searched through all configurations to make sure that 'Auth-Type := EAP' is not set as stated in the eap.conf</DIV>
<DIV>______________________</DIV>
<DIV>eap.conf</DIV>
<DIV>______________________</DIV>
<DIV> eap {<BR> <BR> default_eap_type = tls<BR> timer_expire = 60<BR> ignore_unknown_eap_types = no<BR> cisco_accounting_username_bug = no</DIV>
<DIV> </DIV>
<DIV> # Supported EAP-types<BR> md5 {<BR> }<BR> # Cisco LEAP<BR> leap {<BR> }<BR> # Generic Token Card.<BR> gtc {<BR> #challenge = "Password: "<BR> auth_type = PAP<BR> }</DIV>
<DIV> </DIV>
<DIV> ## EAP-TLS<BR> tls {<BR> private_key_password = demo<BR> private_key_file = ${certsdir}/FreeRADIUS.net-Server.pem<BR> certificate_file = ${certsdir}/FreeRADIUS.net-Server.crt<BR> CA_file = ${certsdir}/FreeRADIUS.net-CA.crt<BR> dh_file = ${certsdir}/dh<BR> random_file = ${certsdir}/random<BR> # fragment_size = 1024<BR> # include_length = yes<BR> # check_crl = yes<BR> check_cert_cn = %{User-Name}<BR> }</DIV>
<DIV> </DIV>
<DIV> ttls {<BR> default_eap_type = md5<BR> copy_request_to_tunnel = no<BR> use_tunneled_reply = yes <BR> <BR> }<BR> peap {<BR> default_eap_type = mschapv2<BR> }</DIV>
<DIV> </DIV>
<DIV> mschapv2 {<BR> }<BR> }<BR>------------------------------------------------------------------------</DIV>
<DIV>I am not using LDAP or a Windows Domain Controller. I am using the users.conf file for this.</DIV>
<DIV> </DIV>
<DIV><FONT face="Courier New"><TT>______________</TT></FONT></DIV>
<DIV><FONT face="Courier New"><TT>eap.conf</TT></FONT></DIV>
<DIV>________________</DIV>
<DIV>53986067 User-Password := "whatever"</DIV>
<DIV> </DIV>
<DIV>#53986067 Cleartext-Password := "whatever"</DIV>
<DIV> </DIV>
<DIV>testuser User-Password == "testpw"</DIV>
<DIV> </DIV>
<DIV>DEFAULT Auth-Type = System<BR> Fall-Through = 1</DIV>
<DIV> </DIV>
<DIV>DEFAULT Service-Type == Framed-User<BR> Framed-IP-Address = 255.255.255.254,<BR> Framed-MTU = 576,<BR> Service-Type = Framed-User,<BR> Fall-Through = Yes</DIV>
<DIV> </DIV>
<DIV>DEFAULT Framed-Protocol == PPP<BR> Framed-Protocol = PPP,<BR> Framed-Compression = Van-Jacobson-TCP-IP</DIV>
<DIV> </DIV>
<DIV>DEFAULT Hint == "CSLIP"<BR> Framed-Protocol = SLIP,<BR> Framed-Compression = Van-Jacobson-TCP-IP</DIV>
<DIV> </DIV>
<DIV>DEFAULT Hint == "SLIP"<BR> Framed-Protocol = SLIP<BR>-----------------------------------------------------------------------------------------------</DIV>
<DIV> </DIV>
<DIV>_______________</DIV>
<DIV>radiusd.conf</DIV>
<DIV>________________</DIV>
<DIV> </DIV>
<DIV>prefix = ..<BR>exec_prefix = ${prefix}<BR>sysconfdir = ${prefix}/etc<BR>localstatedir = ${prefix}/var<BR>sbindir = ${exec_prefix}/sbin<BR>logdir = ${localstatedir}/log/radius<BR>raddbdir = ${sysconfdir}/raddb<BR>radacctdir = ${logdir}/radacct<BR>certsdir = ${sysconfdir}/raddb/certs/FreeRADIUS.net/DemoCerts<BR>confdir = ${raddbdir}<BR>run_dir = ${localstatedir}/run/radiusd<BR>log_file = ${logdir}/radius.log<BR>libdir = ${exec_prefix}/lib<BR>pidfile = ${run_dir}/radiusd.pid<BR>#user = nobody<BR>#group = nobody<BR>max_request_time = 30<BR>delete_blocked_requests = no<BR>cleanup_delay = 5<BR>max_requests = 1024<BR>bind_address = *<BR>port = 0<BR>hostname_lookups = no<BR>allow_core_dumps = no<BR>regular_expressions = yes<BR>extended_expressions = yes<BR>log_stripped_names = yes<BR>log_auth = yes<BR>log_auth_badpass = yes<BR>log_auth_goodpass = yes<BR>usercollide = no<BR>lower_user = no<BR>lower_pass = no<BR>nospace_user = no<BR>nospace_pass = no<BR>checkrad = ${sbindir}/checkrad<BR>security {<BR> max_attributes = 200<BR> reject_delay = 1<BR> status_server = no<BR>}<BR>proxy_requests = yes<BR>$INCLUDE ${confdir}/proxy.conf<BR>$INCLUDE ${confdir}/clients.conf<BR>snmp = no<BR>$INCLUDE ${confdir}/snmp.conf<BR>thread pool {<BR> start_servers = 5<BR> max_servers = 32<BR> min_spare_servers = 3<BR> max_spare_servers = 10<BR> max_requests_per_server = 0<BR>}<BR>modules {<BR> pap {<BR> auto_header = yes<BR> }</DIV>
<DIV> </DIV>
<DIV> chap {<BR> authtype = CHAP<BR> }</DIV>
<DIV> </DIV>
<DIV> pam {<BR> pam_auth = radiusd<BR> }<BR> unix {<BR> cache = no<BR> cache_reload = 600<BR> radwtmp = ${logdir}/radwtmp<BR> }<BR>$INCLUDE ${confdir}/eap.conf<BR> mschap {<BR> #use_mppe = no<BR> #require_encryption = yes<BR> #require_strong = yes<BR> with_ntdomain_hack = yes<BR> #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"<BR> }<BR> ldap {<BR> server = "ldap.your.domain"<BR> # identity = "cn=admin,o=My Org,c=UA"<BR> # password = mypass<BR> basedn = "o=My Org,c=UA"<BR> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"<BR> # base_filter = "(objectclass=radiusprofile)"<BR> start_tls = no</DIV>
<DIV> </DIV>
<DIV> # tls_cacertfile = /path/to/cacert.pem<BR> # tls_cacertdir = /path/to/ca/dir/<BR> # tls_certfile = /path/to/radius.crt<BR> # tls_keyfile = /path/to/radius.key<BR> # tls_randfile = /path/to/rnd<BR> # tls_require_cert = "demand"<BR> # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"<BR> # profile_attribute = "radiusProfileDn"<BR> access_attr = "dialupAccess"<BR> dictionary_mapping = ${raddbdir}/ldap.attrmap<BR> ldap_connections_number = 5<BR> # password_attribute = userPassword<BR> # edir_account_policy_check=no<BR> # groupname_attribute = cn<BR> # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"<BR> # groupmembership_attribute = radiusGroupName<BR> timeout = 4<BR> timelimit = 3<BR> net_timeout = 1<BR> # compare_check_items = yes<BR> # do_xlat = yes<BR> # access_attr_used_for_allow = yes<BR> # set_auth_type = yes<BR> }<BR> #passwd etc_smbpasswd {<BR> # filename = /etc/smbpasswd<BR> # format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"<BR> # authtype = MS-CHAP<BR> # hashsize = 100<BR> # ignorenislike = no<BR> # allowmultiplekeys = no<BR> #}</DIV>
<DIV> </DIV>
<DIV> #passwd etc_group {<BR> # filename = /etc/group<BR> # format = "=Group-Name:::*,User-Name"<BR> # hashsize = 50<BR> # ignorenislike = yes<BR> # allowmultiplekeys = yes<BR> # delimiter = ":"<BR> #}<BR> realm IPASS {<BR> format = prefix<BR> delimiter = "/"<BR> ignore_default = no<BR> ignore_null = no<BR> }<BR> realm suffix {<BR> format = suffix<BR> delimiter = "@"<BR> ignore_default = no<BR> ignore_null = no<BR> }<BR> realm realmpercent {<BR> format = suffix<BR> delimiter = "%"<BR> ignore_default = no<BR> ignore_null = no<BR> }<BR> realm ntdomain {<BR> format = prefix<BR> delimiter = "\\"<BR> ignore_default = no<BR> ignore_null = no<BR> } <BR> checkval {<BR> item-name = Calling-Station-Id<BR> check-name = Calling-Station-Id<BR> data-type = string<BR> #notfound-reject = no<BR> }<BR> #attr_rewrite sanecallerid {<BR> # attribute = Called-Station-Id<BR> # may be "packet", "reply", "proxy", "proxy_reply" or "config"<BR> # searchin = packet<BR> # searchfor = "[+ ]"<BR> # replacewith = ""<BR> # ignore_case = no<BR> # new_attribute = no<BR> # max_matches = 10<BR> # ## If set to yes then the replace string will be appended to the original string<BR> # append = no<BR> #}<BR> preprocess {<BR> huntgroups = ${confdir}/huntgroups<BR> hints = ${confdir}/hints<BR> with_ascend_hack = no<BR> ascend_channels_per_line = 23<BR> with_ntdomain_hack = yes<BR> with_specialix_jetstream_hack = no<BR> with_cisco_vsa_hack = no<BR> }<BR> files {<BR> usersfile = ${confdir}/users<BR> acctusersfile = ${confdir}/acct_users<BR> preproxy_usersfile = ${confdir}/preproxy_users<BR> compat = no<BR> }<BR> detail {<BR> detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d.log<BR> detailperm = 0777<BR> #suppress {<BR> # User-Password<BR> #}<BR> }<BR> detail auth_log {<BR> detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d.log<BR> detailperm = 0777<BR> }<BR> detail reply_log {<BR> detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d.log<BR> detailperm = 0777<BR> }<BR> detail pre_proxy_log {<BR> detailfile = ${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d.log<BR> detailperm = 0777<BR> }<BR> detail post_proxy_log {<BR> detailfile = ${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d.log<BR> detailperm = 0777<BR> }<BR># sql_log {<BR># path = ${radacctdir}/sql-relay<BR># acct_table = "radacct"<BR># postauth_table = "radpostauth"<BR>#<BR># Start = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \<BR># NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \<BR># AcctSessionTime, AcctTerminateCause) VALUES \<BR># ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \<BR># '%{Framed-IP-Address}', '%S', '0', '0', '');"<BR># Stop = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \<BR># NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \<BR># AcctSessionTime, AcctTerminateCause) VALUES \<BR># ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \<BR># '%{Framed-IP-Address}', '0', '%S', '%{Acct-Session-Time}', \<BR># '%{Acct-Terminate-Cause}');"<BR># Alive = "INSERT INTO ${acct_table} (AcctSessionId, UserName, \<BR># NASIPAddress, FramedIPAddress, AcctStartTime, AcctStopTime, \<BR># AcctSessionTime, AcctTerminateCause) VALUES \<BR># ('%{Acct-Session-Id}', '%{User-Name}', '%{NAS-IP-Address}', \<BR># '%{Framed-IP-Address}', '0', '0', '%{Acct-Session-Time}','');"<BR>#<BR># Post-Auth = "INSERT INTO ${postauth_table} \<BR># (user, pass, reply, date) VALUES \<BR># ('%{User-Name}', '%{User-Password:-Chap-Password}', \<BR># '%{reply:Packet-Type}', '%S');"<BR># }<BR> acct_unique {<BR> key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"<BR> }<BR> $INCLUDE ${confdir}/sql.conf<BR> radutmp {<BR> filename = ${logdir}/radutmp<BR> username = %{User-Name}<BR> case_sensitive = yes<BR> check_with_nas = yes <BR> perm = 0777<BR> callerid = "yes"<BR> }<BR> radutmp sradutmp {<BR> filename = ${logdir}/sradutmp<BR> perm = 0777<BR> callerid = "no"<BR> }<BR> attr_filter {<BR> attrsfile = ${confdir}/attrs<BR> }<BR> counter daily {<BR> filename = ${raddbdir}/db.daily<BR> key = User-Name<BR> count-attribute = Acct-Session-Time<BR> reset = daily<BR> counter-name = Daily-Session-Time<BR> check-name = Max-Daily-Session<BR> allowed-servicetype = Framed-User<BR> cache-size = 5000<BR> }<BR> #sqlcounter dailycounter {<BR> counter-name = Daily-Session-Time<BR> check-name = Max-Daily-Session<BR> reply-name = Session-Timeout<BR> sqlmod-inst = sql<BR> key = User-Name<BR> reset = daily<BR> # For mysql:<BR># query = "SELECT SUM(AcctSessionTime - \<BR># GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \<BR># FROM radacct WHERE UserName='%{%k}' AND \<BR># UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"<BR> # For postgresql:<BR># query = "SELECT SUM(AcctSessionTime - \<BR># GREATER((%b - AcctStartTime::ABSTIME::INT4), 0)) \<BR># FROM radacct WHERE UserName='%{%k}' AND \<BR># AcctStartTime::ABSTIME::INT4 + AcctSessionTime > '%b'"<BR> # For mysql:<BR># query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \<BR># UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"<BR> # For postgresql:<BR># query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \<BR># UserName='%{%k}' AND AND AcctStartTime::ABSTIME::INT4 > '%b'"<BR> # For mysql:<BR># query = "SELECT SUM(AcctSessionTime) FROM radacct \<BR># WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \<BR># FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"<BR> # For postgresql:<BR># query = "SELECT SUM(AcctSessionTime) FROM radacct \<BR># WHERE UserName='%{%k}' AND AcctStartTime::ABSTIME::INT4 \<BR># BETWEEN '%b' AND '%e'"<BR># }<BR># sqlcounter monthlycounter {<BR> counter-name = Monthly-Session-Time<BR> check-name = Max-Monthly-Session<BR> reply-name = Session-Timeout<BR> sqlmod-inst = sql<BR> key = User-Name<BR> reset = monthly<BR> query = "SELECT SUM(AcctSessionTime - \<BR># GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \<BR># FROM radacct WHERE UserName='%{%k}' AND \<BR># UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"<BR># query = "SELECT SUM(AcctSessionTime) FROM radacct WHERE \<BR># UserName='%{%k}' AND AcctStartTime > FROM_UNIXTIME('%b')"<BR># query = "SELECT SUM(AcctSessionTime) FROM radacct \<BR># WHERE UserName='%{%k}' AND AcctStartTime BETWEEN \<BR># FROM_UNIXTIME('%b') AND FROM_UNIXTIME('%e')"<BR># }<BR> always fail {<BR> rcode = fail<BR> }<BR> always reject {<BR> rcode = reject<BR> }<BR> always ok {<BR> rcode = ok<BR> simulcount = 0<BR> mpp = no<BR> }<BR> expr {<BR> }<BR> digest {<BR> }<BR> exec {<BR> wait = yes<BR> input_pairs = request<BR> }<BR> exec echo {<BR> wait = yes<BR> program = "/bin/echo %{User-Name}"<BR> input_pairs = request<BR> output_pairs = reply<BR> #packet_type = Access-Accept<BR> }<BR> ippool main_pool {<BR> range-start = 192.168.1.1<BR> range-stop = 192.168.3.254<BR> netmask = 255.255.255.0<BR> cache-size = 800<BR> session-db = ${raddbdir}/db.ippool<BR> ip-index = ${raddbdir}/db.ipindex<BR> override = no<BR> maximum-timeout = 0<BR> }</DIV>
<DIV> </DIV>
<DIV> # $INCLUDE ${confdir}/sqlippool.conf<BR> # $INCLUDE ${confdir}/otp.conf</DIV>
<DIV> </DIV>
<DIV>}</DIV>
<DIV> </DIV>
<DIV>instantiate {<BR> exec<BR> expr<BR># daily<BR>}<BR>authorize {<BR> preprocess<BR> auth_log<BR># attr_filter<BR> chap<BR> mschap<BR># digest<BR># IPASS<BR> suffix<BR># ntdomain<BR> eap<BR> files<BR># sql<BR># etc_smbpasswd<BR># ldap<BR># daily<BR># checkval<BR> pap<BR>}<BR>authenticate {<BR> Auth-Type PAP {<BR> pap<BR> }<BR> Auth-Type CHAP {<BR> chap<BR> }<BR> Auth-Type MS-CHAP {<BR> mschap<BR> }<BR># digest<BR># pam<BR> unix<BR># Auth-Type LDAP {<BR># ldap<BR># }<BR> eap<BR>}<BR>preacct {<BR> preprocess<BR> acct_unique<BR># IPASS<BR> suffix<BR># ntdomain<BR> files<BR>}<BR>accounting {<BR> detail<BR> daily<BR> unix<BR> radutmp<BR># sradutmp<BR># main_pool<BR># sql<BR># sql_log<BR># pgsql-voip</DIV>
<DIV> </DIV>
<DIV>}<BR>session {<BR> radutmp<BR># sql<BR>}<BR>post-auth {<BR># main_pool<BR> reply_log<BR># sql<BR># sql_log<BR># ldap<BR># Post-Auth-Type REJECT {<BR># insert-module-name-here<BR># }</DIV>
<DIV> </DIV>
<DIV>}<BR>pre-proxy {<BR># attr_rewrite<BR># files<BR> pre_proxy_log<BR>}<BR>post-proxy {<BR> post_proxy_log<BR># attr_rewrite<BR># attr_filter<BR> eap<BR>}</DIV>
<DIV>--------------------------------------------------------</DIV>
<DIV>I still get the same results from the debug</DIV>
<DIV>______________</DIV>
<DIV>debug</DIV>
<DIV>--------------------</DIV>
<DIV>rad_recv: Access-Request packet from host 10.219.157.232:20000, id=63, length=149<BR> NAS-Port-Id = "2/1"<BR> Calling-Station-Id = "00-0F-CB-FA-D4-63"<BR> Called-Station-Id = "00-18-6E-95-A2-C0:ELHC"<BR> Service-Type = Framed-User<BR> EAP-Message = 0x0201001401434e393030305c3533393836303637<BR> User-Name = "CN9000\\53986067"<BR> NAS-Port-Type = Wireless-802.11<BR> NAS-Identifier = "3Com"<BR> NAS-IP-Address = 10.219.157.232<BR> Message-Authenticator = 0x9e21864de4c626d3cfdac3077ceda7bb<BR> Processing the authorize section of radiusd.conf<BR>modcall: entering group authorize for request 0<BR> modcall[authorize]: module "preprocess" returns ok for request 0<BR>radius_xlat: '../var/log/radius/radacct/10.219.157.232/auth-detail-20070919.log'<BR>rlm_detail: ../var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d.log expands to ../var/log/radius/radacct/10.219.157.232/auth-detail-20070919.log<BR> modcall[authorize]: module "auth_log" returns ok for request 0<BR> modcall[authorize]: module "chap" returns noop for request 0<BR> modcall[authorize]: module "mschap" returns noop for request 0<BR> rlm_realm: No <A href="mailto:'@'">'@'</A> in User-Name = "53986067", looking up realm NULL<BR> rlm_realm: No such realm "NULL"<BR> modcall[authorize]: module "suffix" returns noop for request 0<BR> rlm_eap: EAP packet type response id 1 length 20<BR> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation<BR> modcall[authorize]: module "eap" returns updated for request 0<BR> users: Matched entry 53986067 at line 84<BR> modcall[authorize]: module "files" returns ok for request 0<BR>rlm_pap: Found existing Auth-Type, not changing it.<BR> modcall[authorize]: module "pap" returns noop for request 0<BR>modcall: leaving group authorize (returns updated) for request 0<BR> rad_check_password: Found Auth-Type EAP<BR>auth: type "EAP"<BR> Processing the authenticate section of radiusd.conf<BR>modcall: entering group authenticate for request 0<BR>rlm_eap: Identity does not match User-Name, setting from EAP Identity.<BR> rlm_eap: Failed in handler<BR> modcall[authenticate]: module "eap" returns invalid for request 0<BR>modcall: leaving group authenticate (returns invalid) for request 0<BR>auth: Failed to validate the user.<BR>Login incorrect: [53986067/<no User-Password attribute>] (from client elhc-network port 0 cli 00-0F-CB-FA-D4-63)<BR>Delaying request 0 for 1 seconds<BR>Finished request 0<BR>Going to the next request<BR>--- Walking the entire request list ---<BR>Waking up in 1 seconds...<BR>--- Walking the entire request list ---<BR>Waking up in 1 seconds...<BR>--- Walking the entire request list ---<BR>Sending Access-Reject of id 63 to 10.219.157.232 port 20000<BR>Waking up in 4 seconds...<BR>--- Walking the entire request list ---<BR>Cleaning up request 0 ID 63 with timestamp 46f0d4b4<BR>Nothing to do. Sleeping until we see a request.<BR>----------------------------------------------------------------------------------------------------------------------------------------<BR></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV style="PADDING-LEFT: 7px; MARGIN: 0px 0px 0px 15px; BORDER-LEFT: #050505 1px solid; BACKGROUND-COLOR: #f3f3f3">if so, then i would be concerned by this int he debug:<BR><BR><BR>> modcall: entering group authenticate for request 0<BR>> rlm_eap: Identity does not match User-Name, setting from EAP Identity.<BR>> rlm_eap: Failed in handler<BR>> modcall[authenticate]: module "eap" returns invalid for request 0<BR>> modcall: leaving group authenticate (returns invalid) for request 0<BR>> auth: Failed to validate the user.<BR>> Login incorrect: [53986067/<no User-Password attribute>] (from client elhc-network port 0 cli 00-0F-CB-FA-D4-63)<BR><BR><BR>what are you doing with the User-Name and/or identity? you cant play with those<BR>packets as it breaks EAP. the debug also looks worryingly short. you should<BR>post the whole debug. also, HOW are you authenticating the users? you<BR>dont have ntlm_auth set and LDAP doesnt seem to be doing anything...I fear<BR>very very much that you have some Auth-Type := EAP in yours users file<BR>or something worse! please post your config files.<BR><BR>oh, and dont hurry, i'm certainly not demanding an urgent response.<BR><BR>alan<BR><BR><BR><BR></DIV></BODY></HTML>