We are using freeradius for EDUROAM authentication with an oracle-ldap as password store. Actually we are using still radius version 2, but we now install a new radius version 3. We found the following different behavior between version 2 and version3 which make our authentication fail: freeradius receives user password from oracle-ldap in the following form: (1) ldap: control:Password-With-Header += '{X- ORCLIFSMD5}***' (1) ldap: control:Password-With-Header += '{X- ORCLWEBDAV}***' (1) ldap: control:Password-With-Header += '{MD5}***' (1) ldap: control:Password-With-Header += '{X- ORCLLMV}***' (1) ldap: control:Password-With-Header += '{X- ORCLNTV}***' The first two Headers are unknown to radius, that's why our Freeradius 2.2.5 is going to the next Password-with-Header until it finds a usable one and then can authenticate the user successfully: - [pap] Found unknown header {{X- ORCLIFSMD5}}: Not doing anything - [pap] Found unknown header {{X- ORCLWEBDAV}}: Not doing anything - [pap] Normalizing MD5-Password from base64 encoding - [pap] Normalizing LM-Password from hex encoding - [pap] Normalizing NT-Password from hex encoding BUT our new installed Freeradius 3.0.12 is no longer skipping unknown hashes, instead tries to re-write the first one to cleartext and ignores the other hashes. Of course the authentication fails: (1) pap: Unknown header {{X- ORCLIFSMD5}} in Password-With-Header, re-writing to Cleartext-Password (1) pap: Removing &control:Password-With-Header (1) pap: WARNING: Config already contains a "known good" password (&control:Cleartext-Password). Ignoring &config:Password-With-Header (1) pap: WARNING: Config already contains a "known good" password (&control:Cleartext-Password). Ignoring &config:Password-With-Header (1) pap: WARNING: Config already contains a "known good" password (&control:Cleartext-Password). Ignoring &config:Password-With-Header (1) pap: WARNING: Config already contains a "known good" password (&control:Cleartext-Password). Ignoring &config:Password-With-Header Is there a reason for this change version 3? Or are we doing something wrong or is it possible to tell freeradius 3 to ignore unknown password hashes? Regards Oliver