Hi, posting to devel, as this is possibly a severe bug. Apologies if not. In FR 2, I authenticated our staff against a users-style file, setting NT-Password := ... Their passwords were checked. In FreeRADIUS 3, I retained this, NT-Passwords are found, pap returns noop(?), authorize returns ok, and then I see Auth-Type = Accept, accepting the user *regardless of his password* ? I've rolled back the one affected vserver that had this problem, but would be really interested in an explanation. here is the -X flow: rad_recv: Access-Request packet from host 158.64.1.65 port 46814, id=96, length=63 User-Name = 'ctompers' User-Password = '' NAS-Identifier = 'AAI-Staff-IdP' (11) # Executing section authorize from file /usr/local/freeradius/config/raddb/sites-enabled/AAI (11) authorize { (11) if ( NAS-Identifier == "AAI-Staff-IdP" ) (11) if ( NAS-Identifier == "AAI-Staff-IdP" ) -> TRUE (11) if ( NAS-Identifier == "AAI-Staff-IdP" ) { (11) update request { (11) RESTENA-Service-Type := 'Staff-AAI' (11) } # update request = noop (11) } # if ( NAS-Identifier == "AAI-Staff-IdP" ) = noop (11) ... skipping else for request 11: Preceding "if" was taken (11) suffix : No '@' in User-Name = "ctompers", looking up realm NULL (11) suffix : No such realm "NULL" (11) [suffix] = noop (11) if ( NAS-Identifier == "AAI-Staff-IdP" ) (11) if ( NAS-Identifier == "AAI-Staff-IdP" ) -> TRUE (11) if ( NAS-Identifier == "AAI-Staff-IdP" ) { (11) update control { (11) Proxy-To-Realm := 'TO-STAFF' (11) } # update control = noop (11) } # if ( NAS-Identifier == "AAI-Staff-IdP" ) = noop (11) ... skipping else for request 11: Preceding "if" was taken (11) } # authorize = noop Proxying to virtual server staff (11) # Executing section authorize from file /usr/local/freeradius/config/raddb/sites-enabled/staff (11) authorize { (11) if ( "%{NAS-Identifier}" == "ejabberd" ) (11) EXPAND %{NAS-Identifier} (11) --> AAI-Staff-IdP (11) if ( "%{NAS-Identifier}" == "ejabberd" ) -> FALSE (11) elsif ( "%{NAS-Identifier}" == "AAI-Staff-IdP" ) (11) EXPAND %{NAS-Identifier} (11) --> AAI-Staff-IdP (11) elsif ( "%{NAS-Identifier}" == "AAI-Staff-IdP" ) -> TRUE (11) elsif ( "%{NAS-Identifier}" == "AAI-Staff-IdP" ) { (11) update request { (11) RESTENA-Service-Type = 'Staff-AAI' (11) } # update request = noop (11) } # elsif ( "%{NAS-Identifier}" == "AAI-Staff-IdP" ) = noop (11) ... skipping else for request 11: Preceding "if" was taken (11) if ( "%{client:staff_type}" == "Nagios-Login" && User-Name == "testuser.monitor" ) (11) Client does not contain config item "staff_type" (11) EXPAND %{client:staff_type} (11) --> (11) if ( "%{client:staff_type}" == "Nagios-Login" && User-Name == "testuser.monitor" ) -> FALSE (11) if ( "%{RESTENA-Service-Type}" == "Staff-Jabber" ) (11) EXPAND %{RESTENA-Service-Type} (11) --> Staff-AAI (11) if ( "%{RESTENA-Service-Type}" == "Staff-Jabber" ) -> FALSE (11) auth_log_silent : EXPAND /var/log/radius/radacct/%Y%m%d/%{RESTENA-Service-Type}-service/auth-detail (11) auth_log_silent : --> /var/log/radius/radacct/20140415/Staff-AAI-service/auth-detail (11) auth_log_silent : /var/log/radius/radacct/%Y%m%d/%{RESTENA-Service-Type}-service/auth-detail expands to /var/log/radius/radacct/20140415/Staff-AAI-service/auth-detail (11) auth_log_silent : EXPAND %t (11) auth_log_silent : --> Tue Apr 15 09:57:57 2014 (11) [auth_log_silent] = ok (11) if ( "%{RESTENA-Service-Type}" == "Staff-IMAP" && "%{strlen:%{User-Password}}" == "96" ) (11) EXPAND %{RESTENA-Service-Type} (11) --> Staff-AAI (11) if ( "%{RESTENA-Service-Type}" == "Staff-IMAP" && "%{strlen:%{User-Password}}" == "96" ) -> FALSE (11) else else { (11) staff-auth : users: Matched entry ctompers at line 22 (11) [staff-auth] = ok (11) } # else else = ok (11) if ( "%{RESTENA-Service-Type}" == "Staff-AAI" ) (11) EXPAND %{RESTENA-Service-Type} (11) --> Staff-AAI (11) if ( "%{RESTENA-Service-Type}" == "Staff-AAI" ) -> TRUE (11) if ( "%{RESTENA-Service-Type}" == "Staff-AAI" ) { (11) staff-attributes : users: Matched entry ctompers at line 45 (11) [staff-attributes] = ok (11) } # if ( "%{RESTENA-Service-Type}" == "Staff-AAI" ) = ok (11) [mschap] = noop (11) [eap-staff] = noop (11) [pap] = noop (11) if ( "%{Packet-Src-IP-Address}" == "158.64.1.229" ) (11) EXPAND %{Packet-Src-IP-Address} (11) --> 158.64.1.65 (11) if ( "%{Packet-Src-IP-Address}" == "158.64.1.229" ) -> FALSE (11) } # authorize = ok (11) Auth-Type = Accept, accepting the user (11) # Executing section post-auth from file /usr/local/freeradius/config/raddb/sites-enabled/staff (11) post-auth { (11) restena_log_policy restena_log_policy { You see two files matches: the first one, "staff-auth : users: Matched entry ctompers at line 22" is the NT-Password: [...] ctompers NT-Password := EA38E7ADC559499F31CF4FA0F195ABCD [...] (the password hash is edited) The second match is a series of reply attributes, none of which is Auth-Type of course. The match at that line 45 is expected. But... WHY does it not check the password against the NT-Password? This same config works with FreeRADIUS 2; pap returns updated, authorize returns updated, and authenticate checks the input against the configured password? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66