Hello I have a working installation of freeradius2, providing AAA on my wlan by using ldap stored users. I am trying to upgrade to freeradius3, but I met a problem. As far as I understood, the ldap attribute previusly mapped through the ldap.attrmap file now must be mapped by an update statement, so in the ldap module configuration I configured: update { control:Password-With-Header += 'userPassword' control:NT-Password := 'sambaNTPassword' } I know that this is working because in the debug I see: .. (12) 8021x1 : User object found at DN "uid=XXXXXXX (12) 8021x1 : Processing user attributes (12) 8021x1 : control:Password-With-Header += '{SHA}XXXXXXXXXXXXXXXXXXXX' (12) 8021x1 : control:NT-Password := 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX rlm_ldap (8021x1): Released connection (4) But when I try to authenticate I have this error: (12) Found Auth-Type = EAP (12) # Executing group from file /ofb/freeradius/etc/raddb/sites-enabled/default (12) authenticate { (12) eap : Expiring EAP session with state 0x08682d8c08653729 (12) eap : Finished EAP session with state 0x08682d8c08653729 (12) eap : Previous EAP request found for state 0x08682d8c08653729, released from the list (12) eap : Peer sent MSCHAPv2 (26) (12) eap : EAP MSCHAPv2 (26) (12) eap : Calling eap_mschapv2 to process EAP data (12) eap_mschapv2 : # Executing group from file /ofb/freeradius/etc/raddb/sites-enabled/default (12) eap_mschapv2 : Auth-Type MS-CHAP { (12) mschap : No Cleartext-Password configured. Cannot create LM-Password (12) ERROR: mschap : NT-Password has not been normalized by the "pap" module. Authentication will fail. (12) mschap : Creating challenge hash with username: XXX (12) mschap : Client is using MS-CHAPv2 for XXX, we need NT-Password (12) mschap : FAILED: No NT/LM-Password. Cannot perform authentication. (12) mschap : FAILED: MS-CHAP2-Response is incorrect (12) [mschap] = reject (12) } # Auth-Type MS-CHAP = reject (12) eap : Freeing handler (12) [eap] = reject (12) } # authenticate = reject (12) Failed to authenticate the user. (12) Using Post-Auth-Type Reject (12) WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. } # server default (12) eap_peap : Got tunneled reply code 3 MS-CHAP-Error = '\rE=691 R=1' EAP-Message = 0x040d0004 Message-Authenticator = 0x00000000000000000000000000000000 (12) eap_peap : Got tunneled reply RADIUS code 3 MS-CHAP-Error = '\rE=691 R=1' EAP-Message = 0x040d0004 Message-Authenticator = 0x00000000000000000000000000000000 (12) eap_peap : Tunneled authentication was rejected. (12) eap_peap : FAILURE I took a peek at the rlm_mschap.c code and I saw that the part "validating" the NT-Password is oddly different from version 2 to version 3, as v2 was: nt_password = pairfind(request->config_items, PW_NT_PASSWORD); if (nt_password) { if ((nt_password->length == 16) || ((nt_password->length == 32) && (fr_hex2bin(nt_password->vp_strvalue, nt_password->vp_octets, 16) == 16))) { RDEBUG2("Found NT-Password"); nt_password->length = 16; while v3 has: nt_password = pairfind(request->config_items, PW_NT_PASSWORD, 0, TAG_ANY); if (nt_password) { if (nt_password->length == 16) { RDEBUG2("Found NT-Password"); } else { RWDEBUG("NT-Password has not been normalized by the 'pap' module. Authentication will fail"); nt_password = NULL; } I use samba's mkntpwd to generate NT hashes, and it generare 32 chars long hashes....so how could i have those hashes "normalized by pap" in my configuration? am i missing some key difference between the 2 versions? Thanks Futhwo