On a test deployment I've both mysql and ntlm (AD) configured. If I use EAP no problem to authenticate users on both backend. But…in the process to use a Cisco WLC captive portal I've verified that only sql works. If I add in users DEFAULT Auth-Type = ntlm_auth, then also AD users are authenticated, but not mysql ones. radiusd -X reports in this case: ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = ntlm_auth Instead in absence of DEFAULT Auth-Type = ntlm_auth in users, I logs : ==== rad_recv: Access-Request packet from host 150.178.3.53 port 55249, id=114, length=77 User-Name = "barbato" User-Password = "xxxxxxxxxxx" NAS-IP-Address = 150.178.33.105 NAS-Port = 1 Message-Authenticator = 0x122864a655b86ac6d24c76e360fac328 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "barbato", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "barbato" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> barbato [sql] sql_set_user escaped user --> 'barbato' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'barbato' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'barbato' ORDER BY priority rlm_sql (sql): Released sql socket id: 4 [sql] User barbato not found ++[sql] returns notfound ++? if (ok) ? Evaluating (ok) -> FALSE ++? if (ok) -> FALSE ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [barbato] (from client rfxnet1 port 1) Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> barbato attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated === radtest behave the same. So it's seems I miss something somewhere….any suggestion from the list ? Regards, Paolo. ------------------------------------------------------------------------------------------------ Paolo Barbato Consorzio RFX corso Stati Uniti,4 35127 Padova - Italy Network Administrator phone: +39 049 8295097 fax: +39 049 8700718 ------------------------------------------------------------------------------------------------