hello, I use FreeRADIUS Version 2.1.3, and I try a basic configuration from my HP procurve2650 to do Mac-based radius auth. for this I've setup a simple users file 005004B7252E Auth-Type := Local, Cleartext-Password := "005004B7252E" Tunnel-type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 15 First ,it isn't clear to me wether to user Cleartext-Password or User-Password and == ou := , and "" or no "" around the password ...!? , anyway, with Cleartext-Password it works fine with radtest at least $ radtest 005004B7252E 005004B7252E 157.159.100.55 16 secret rad_recv: Access-Accept packet from host 157.159.100.55 port 1812, id=81, length=36 Now when my HP switch tries to auth my PC which has 005004B7252E as MAC@ for it's eth0, apparently the HP sends a chap password CHAP-Password = 0x07fae6d2c08ceb00229ea664ed50056e80 with turns radius into it's chap module and fails to Authenticate :-( Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "005004B7252E" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject I'am lost. I don't know If I have to set a chap password in "users" files or anywhere else ? (how, syntax ?) or if I have to tell my HP switch not to do chap (again how ?) Thanks . details of radius -X rad_recv: Access-Request packet from host 157.159.17.138 port 1125, id=8, length=195 Framed-MTU = 1480 NAS-IP-Address = 157.159.17.138 NAS-Identifier = "Sw-C01" User-Name = "005004B7252E" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 26 NAS-Port-Type = Ethernet NAS-Port-Id = "26" Called-Station-Id = "00-1c-2e-b4-f2-66" Calling-Station-Id = "00-50-04-b7-25-2e" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" CHAP-Password = 0x07fae6d2c08ceb00229ea664ed50056e80 Message-Authenticator = 0x4f687fe44ece7630d3470b37598b43b8 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/157.159.17.138/auth-detail-20090429 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/157.159.17.138/auth-detail-20090429 [auth_log] expand: %t -> Wed Apr 29 17:28:16 2009 ++[auth_log] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "005004B7252E", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "005004B7252E" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 005004B7252E attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 8 to 157.159.17.138 port 1125 Waking up in 4.9 seconds.