OK. I'm stuck. I don't understand what I am doing wrong. I have installed freeradius with version 2.1.1-6.1 for SLE 10 SP2. I fumbled my way through LDAP authentication to edirectory (probably in all the wrong ways I'm sure). The issue I have now is that the attributes I set in the user file: DEFAULT Huntgroup-Name == WirelessGear, Ldap-Group == "cn=WirelessAllowed,o=integrity" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10 The attributes are not included in the Access-Accept when using radtest or a XP workstation using the Novell 802.1x client. Below is the debug: rad_recv: Access-Request packet from host 10.1.0.24 port 32888, id=30, length=59 User-Name = "testuser" User-Password = "password" NAS-IP-Address = 10.1.0.24 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.1.0.24/auth-detail-20090725 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.1.0.24/auth-detail-20090725 [auth_log] expand: %t -> Sat Jul 25 08:20:43 2009 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for testuser [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> testuser [ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -> (cn=testuser) [ldap] expand: o=integrity -> o=integrity rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to oes1.nteg.net:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder.b64 rlm_ldap: starting TLS rlm_ldap: bind as cn=ldapuser,o=integrity/ldappass to oes1.nteg.net:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=integrity, with filter (cn=testuser) [ldap] Added the eDirectory password password in check items as Cleartext-Password [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request is correct. +- entering group post-auth {...} [reply_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/radius/radacct/10.1.0.24/reply-detail-20090725 [reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/10.1.0.24/reply-detail-20090725 [reply_log] expand: %t -> Sat Jul 25 08:20:43 2009 ++[reply_log] returns ok rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to oes1.nteg.net:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder.b64 rlm_ldap: starting TLS rlm_ldap: bind as cn=testuser,o=integrity/password to oes1.nteg.net:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[exec] returns noop Sending Access-Accept of id 30 to 10.1.0.24 port 32888 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 30 with timestamp +27 Ready to process requests. However when I use an XP client and no Novell client or ntradping I see the attributes and I am assigned the correct VLAN Here is the debug below: rad_recv: Access-Request packet from host 10.1.0.5 port 1541, id=6, length=48 User-Name = "testuser" CHAP-Password = 0xa734db980a0367669cce38acbf8badf1bc +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.1.0.5/auth-detail-20090725 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.1.0.5/auth-detail-20090725 [auth_log] expand: %t -> Sat Jul 25 08:18:16 2009 ++[auth_log] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound rlm_ldap: Entering ldap_groupcmp() [files] expand: o=integrity -> o=integrity [files] expand: %{Stripped-User-Name} -> [files] expand: %{User-Name} -> testuser [files] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -> (cn=testuser) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to oes1.nteg.net:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder.b64 rlm_ldap: starting TLS rlm_ldap: bind as cn=ldapuser,o=integrity/ldappass to oes1.nteg.net:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in o=integrity, with filter (cn=testuser) rlm_ldap: ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{check:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{check:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dtestuser\2co\3dintegrity))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtestuser\2co\3dintegrity))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=WirelessDisabled,o=integrity, with filter (|(&(objectClass=GroupOfNames)(member=cn\3dtestuser\2co\3dintegrity))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtestuser\2co\3dintegrity))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group cn=WirelessDisabled,o=integrity not found or user is not a member. rlm_ldap: Entering ldap_groupcmp() [files] expand: o=integrity -> o=integrity [files] expand: (|(&(objectClass=GroupOfNames)(member=%{check:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{check:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=cn\3dtestuser\2co\3dintegrity))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtestuser\2co\3dintegrity))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=WirelessAllowed,o=integrity, with filter (|(&(objectClass=GroupOfNames)(member=cn\3dtestuser\2co\3dintegrity))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtestuser\2co\3dintegrity))) rlm_ldap::ldap_groupcmp: User found in group cn=WirelessAllowed,o=integrity rlm_ldap: ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 4 ++[files] returns ok [ldap] performing user authorization for testuser [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> testuser [ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -> (cn=testuser) [ldap] expand: o=integrity -> o=integrity rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=integrity, with filter (cn=testuser) [ldap] Added the eDirectory password password in check items as Cleartext-Password [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "testuser" with CHAP password [chap] Using clear text password "password" for user testuser authentication. [chap] chap user testuser authenticated succesfully ++[chap] returns ok +- entering group post-auth {...} [reply_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/radius/radacct/10.1.0.5/reply-detail-20090725 [reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/10.1.0.5/reply-detail-20090725 [reply_log] expand: %t -> Sat Jul 25 08:18:16 2009 ++[reply_log] returns ok rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to oes1.nteg.net:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder.b64 rlm_ldap: starting TLS rlm_ldap: bind as cn=testuser,o=integrity/password to oes1.nteg.net:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[exec] returns noop Sending Access-Accept of id 6 to 10.1.0.5 port 1541 Service-Type = Login-User Tunnel-Type:0 == VLAN Tunnel-Medium-Type:0 == IEEE-802 Tunnel-Private-Group-Id:0 == "10" Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 6 with timestamp +9 Ready to process requests. I will not even pretend to know what I am doing wrong. I don't understand why I receive the following errors as well: WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. This is all that is in the users file and I cannot find Auth-Type = Local in any other file: DEFAULT Huntgroup-Name == WirelessGear, Ldap-Group == "cn=WirelessAllowed,o=integrity" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10 Thank you in advance for your time and patience.