Hello! I need some help, please. I need to reject a MSCHAP request based on request:Service-Type. The access-request package is: (13) Received Access-Request Id 154 from 186.209.57.182:36712 to 66.228.40.107:1812 length 150 (13) Service-Type = Login-User (13) User-Name = "domingos" (13) MS-CHAP-Challenge = 0xa110fa67f06890c435ad37caea5f0687 (13) MS-CHAP2-Response = 0x00008d30616b943fb54593ac922fe9d686d5000000000000000023b65bd8115df118559a56f434829c17838d7120bff04eb5 (13) Calling-Station-Id = "192.168.0.2" (13) NAS-Identifier = "Main_Router" (13) NAS-IP-Address = 186.209.57.182 (13) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (13) authorize { (13) if ("%{Cisco-AVPair[*]}" =~ /client-mac-address=(.*)/) { (13) EXPAND %{Cisco-AVPair[*]} (13) --> (13) if ("%{Cisco-AVPair[*]}" =~ /client-mac-address=(.*)/) -> FALSE (13) elsif (ERX-Dhcp-Mac-Addr =~ /^([a-f0-9][a-f0-9])([a-f0-9][a-f0-9]).([a-f0-9][a-f0-9])([a-f0-9][a-f0-9]).([a-f0-9][a-f0-9])([a-f0-9][a-f0-9])$/) { (13) ERROR: Failed retrieving values required to evaluate condition (13) else { (13) update request { (13) EXPAND %{toupper:%{Calling-Station-Id}} (13) --> 192.168.0.2 (13) Calling-Station-Id := 192.168.0.2 (13) } # update request = noop (13) } # else = noop (13) if (!control:Cleartext-Password){ (13) if (!control:Cleartext-Password) -> TRUE (13) if (!control:Cleartext-Password) { (13) update control { (13) Cleartext-Password := "no_user_found_radiusnet" (13) } # update control = noop (13) } # if (!control:Cleartext-Password) = noop (13) [preprocess] = ok (13) [chap] = noop (13) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (13) [mschap] = ok (13) eap: No EAP-Message, not doing EAP (13) [eap] = noop (13) sql: EXPAND %{User-Name} (13) sql: --> domingos (13) sql: SQL-User-Name set to 'domingos' (13) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (13) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'domingos' ORDER BY id (13) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'domingos' ORDER BY id (13) sql: User found in radcheck table (13) sql: Conditional check items matched, merging assignment check items (13) sql: Cleartext-Password := "ghcjkgfh" (13) sql: Service-Type := Login-User (13) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (13) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'domingos' ORDER BY id (13) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'domingos' ORDER BY id (13) sql: User found in radreply table, merging reply items (13) sql: Mikrotik-Group = "full" (13) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (13) sql: --> SELECT groupname FROM radusergroup WHERE username = 'domingos' ORDER BY priority (13) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'domingos' ORDER BY priority (13) sql: User not found in any groups (13) [sql] = ok (13) pap: WARNING: Auth-Type already set. Not setting to PAP (13) [pap] = noop (13) } # authorize = ok (13) Found Auth-Type = mschap (13) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (13) authenticate { (13) mschap: Found Cleartext-Password, hashing to create NT-Password (13) mschap: Found Cleartext-Password, hashing to create LM-Password (13) mschap: Creating challenge hash with username: domingos (13) mschap: Client is using MS-CHAPv2 (13) mschap: Adding MS-CHAPv2 MPPE keys (13) [mschap] = ok (13) } # authenticate = ok (13) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (13) post-auth { (13) if ("%{Cisco-AVPair[*]}" =~ /client-mac-address=(.*)/) { (13) EXPAND %{Cisco-AVPair[*]} (13) --> (13) if ("%{Cisco-AVPair[*]}" =~ /client-mac-address=(.*)/) -> FALSE (13) elsif (ERX-Dhcp-Mac-Addr =~ /^([a-f0-9][a-f0-9])([a-f0-9][a-f0-9]).([a-f0-9][a-f0-9])([a-f0-9][a-f0-9]).([a-f0-9][a-f0-9])([a-f0-9][a-f0-9])$/) { (13) ERROR: Failed retrieving values required to evaluate condition (13) else { (13) update request { (13) EXPAND %{toupper:%{Calling-Station-Id}} (13) --> 192.168.0.2 (13) Calling-Station-Id := 192.168.0.2 (13) } # update request = noop (13) } # else = noop (13) sqlippool_v4: No Pool-Name defined (13) sqlippool_v4: EXPAND No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name}) (13) sqlippool_v4: --> No Pool-Name defined (did cli 192.168.0.2 port user domingos) (13) [sqlippool_v4] = noop (13) sqlippool_v6: No Pool-Name defined (13) sqlippool_v6: EXPAND No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name}) (13) sqlippool_v6: --> No Pool-Name defined (did cli 192.168.0.2 port user domingos) (13) [sqlippool_v6] = noop (13) update { (13) No attributes updated (13) } # update = noop (13) sql: EXPAND .query (13) sql: --> .query (13) sql: Using query template 'query' (13) sql: EXPAND %{User-Name} (13) sql: --> domingos (13) sql: SQL-User-Name set to 'domingos' (13) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate, nasipaddress, callingstationid) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', UTC_TIMESTAMP(), '%{NAS-IP-Address}', '%{Calling-Station-Id}') (13) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate, nasipaddress, callingstationid) VALUES ( 'domingos', '', 'Access-Accept', UTC_TIMESTAMP(), '186.209.57.182', '192.168.0.2') (13) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate, nasipaddress, callingstationid) VALUES ( 'domingos', '', 'Access-Accept', UTC_TIMESTAMP(), '186.209.57.182', '192.168.0.2') (13) sql: SQL query returned: success (13) sql: 1 record(s) updated (13) [sql] = ok (13) [exec] = noop (13) policy remove_reply_message_if_eap { (13) if (&reply:EAP-Message && &reply:Reply-Message) { (13) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (13) else { (13) [noop] = noop (13) } # else = noop (13) } # policy remove_reply_message_if_eap = noop (13) } # post-auth = ok (13) Sent Access-Accept Id 154 from 66.228.40.107:1812 to 186.209.57.182:36712 length 0 (13) Mikrotik-Group = "full" (13) MS-CHAP2-Success = 0x00533d37323241353031413237414144393731304344434439394143333631313837374641433930343844 (13) MS-MPPE-Recv-Key = 0x9fa3aa9656828c3e1aa891107bca46ef (13) MS-MPPE-Send-Key = 0x7fe346a576db74394b746b3b638a4037 (13) MS-MPPE-Encryption-Policy = Encryption-Allowed (13) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (13) Finished request The authenticate section on sites-enabled default is: authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap{ reject = 1 invalid = 1 } if (request:Service-Type == Login-User && !request:NAS-Port-Type && !reply:Mikrotik-Group){ reject } if (request:Service-Type == Login-User && request:NAS-Port-Type && reply:Mikrotik-Group){ reject } if (request:Service-Type == Framed-User && reply:Mikrotik-Group){ reject } if (invalid && Framed-Protocol == PPP) { ok update control { Auth-Type := "Accept" Pool-Name := "pool_username_or_mac_error" } update request{ User-Password := "username_or_mac_error" } update reply { framed-pool := "pool_username_or_mac_error" mikrotik-rate-limit := 10k framed-ip-address !* ANY } #ok } } # # MSCHAP authentication. Auth-Type MS-CHAP { mschap{ reject = 1 invalid = 1 } if (request:Service-Type == Login-User){ reject } } # # For old names, too. # mschap # # Allow EAP authentication. eap } I´m trying to follow the same logic from "Auth-Type CHAP", but without success. Could please someone point me the right directions, please? Thanks Fabricio Viana