Using freeradius 3 (even though most online help is for version 2) since this is the version that I first got "radtest" to work in. Running it in ubuntu 14.04.4 LTS. I entered a user "bob" into the "freeradius/users" file and radtest bob hello1 localhost 1812 testing1 works fine. I then entered "bobsql" into the database (after adding "sql" to all the places in freeradius/sites-available/default and adding the new mysql user login & database info to freeradius/mods-available/sql) | id | username | attribute | value | op | +----+----------+-----------+----------+----+ | 4 | bobsql | Password | hello1 | := | but the command radtest bobsql hello1 localhost 1812 testing1 gives the "freeradius -X" output: (23) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type I removed and re-entered "bobsql" to make sure I didn't accidentally add non-visible characters to the username or password. The strange part is that it says it successfully logged the error to the "radpostauth" table: (23) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'bobsql', 'hello1', 'Access-Reject', '2016-04-19 12:43:09') (23) sql: SQL query returned: success (23) sql: 1 record(s) updated But when I looked at this table it was still empty. I even logged in as "radius" and tested this command to make sure it wasn't being blocked by insufficient user permissions. Dustin p.s.: Here is the area of "freeradius -X" output around the problem area: (23) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bobsql' ORDER BY id (23) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bobsql' ORDER BY id rlm_sql (sql): Released connection (16) rlm_sql (sql): Need 1 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (17), 1 of 30 pending slots used (23) [sql] = notfound (23) [expiration] = noop (23) [logintime] = noop (23) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (23) pap: WARNING: Authentication will fail unless a "known good" password is available (23) [pap] = noop (23) } # authorize = ok (23) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (23) Failed to authenticate the user (23) Using Post-Auth-Type Reject (23) # Executing group from file /etc/freeradius/sites-enabled/default (23) Post-Auth-Type REJECT { (23) sql: EXPAND .query (23) sql: --> .query (23) sql: Using query template 'query' rlm_sql (sql): Reserved connection (15) (23) sql: EXPAND %{User-Name} (23) sql: --> bobsql (23) sql: SQL-User-Name set to 'bobsql' (23) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (23) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'bobsql', 'hello1', 'Access-Reject', '2016-04-19 12:43:09') (23) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'bobsql', 'hello1', 'Access-Reject', '2016-04-19 12:43:09') (23) sql: SQL query returned: success (23) sql: 1 record(s) updated rlm_sql (sql): Released connection (15) (23) [sql] = ok Here's the entire output of "freeradius -X": (22) Cleaning up request packet ID 198 with timestamp +2275 Ready to process requests (23) Received Access-Request Id 40 from 127.0.0.1:41089 to 127.0.0.1:1812 length 76 (23) User-Name = "bobsql" (23) User-Password = "hello1" (23) NAS-IP-Address = 192.168.0.166 (23) NAS-Port = 1812 (23) Message-Authenticator = 0xa745b8c6f1030fe8a5914f73096859ae (23) # Executing section authorize from file /etc/freeradius/sites-enabled/default (23) authorize { (23) policy filter_username { (23) if (&User-Name) { (23) if (&User-Name) -> TRUE (23) if (&User-Name) { (23) if (&User-Name =~ / /) { (23) if (&User-Name =~ / /) -> FALSE (23) if (&User-Name =~ /@[^@]*@/ ) { (23) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (23) if (&User-Name =~ /\.\./ ) { (23) if (&User-Name =~ /\.\./ ) -> FALSE (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (23) if (&User-Name =~ /\.$/) { (23) if (&User-Name =~ /\.$/) -> FALSE (23) if (&User-Name =~ /@\./) { (23) if (&User-Name =~ /@\./) -> FALSE (23) } # if (&User-Name) = notfound (23) } # policy filter_username = notfound (23) [preprocess] = ok (23) [chap] = noop (23) [mschap] = noop (23) [digest] = noop (23) suffix: Checking for suffix after "@" (23) suffix: No '@' in User-Name = "bobsql", looking up realm NULL (23) suffix: No such realm "NULL" (23) [suffix] = noop (23) eap: No EAP-Message, not doing EAP (23) [eap] = noop (23) [files] = noop (23) sql: EXPAND %{User-Name} (23) sql: --> bobsql (23) sql: SQL-User-Name set to 'bobsql' rlm_sql (sql): Reserved connection (16) (23) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (23) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bobsql' ORDER BY id (23) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'bobsql' ORDER BY id rlm_sql (sql): Released connection (16) rlm_sql (sql): Need 1 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (17), 1 of 30 pending slots used (23) [sql] = notfound (23) [expiration] = noop (23) [logintime] = noop (23) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (23) pap: WARNING: Authentication will fail unless a "known good" password is available (23) [pap] = noop (23) } # authorize = ok (23) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (23) Failed to authenticate the user (23) Using Post-Auth-Type Reject (23) # Executing group from file /etc/freeradius/sites-enabled/default (23) Post-Auth-Type REJECT { (23) sql: EXPAND .query (23) sql: --> .query (23) sql: Using query template 'query' rlm_sql (sql): Reserved connection (15) (23) sql: EXPAND %{User-Name} (23) sql: --> bobsql (23) sql: SQL-User-Name set to 'bobsql' (23) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (23) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'bobsql', 'hello1', 'Access-Reject', '2016-04-19 12:43:09') (23) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'bobsql', 'hello1', 'Access-Reject', '2016-04-19 12:43:09') (23) sql: SQL query returned: success (23) sql: 1 record(s) updated rlm_sql (sql): Released connection (15) (23) [sql] = ok (23) attr_filter.access_reject: EXPAND %{User-Name} (23) attr_filter.access_reject: --> bobsql (23) attr_filter.access_reject: Matched entry DEFAULT at line 11 (23) [attr_filter.access_reject] = updated (23) [eap] = noop (23) policy remove_reply_message_if_eap { (23) if (&reply:EAP-Message && &reply:Reply-Message) { (23) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (23) else { (23) [noop] = noop (23) } # else = noop (23) } # policy remove_reply_message_if_eap = noop (23) } # Post-Auth-Type REJECT = updated (23) Delaying response for 1.000000 seconds Waking up in 0.6 seconds. Waking up in 0.3 seconds. (23) Sending delayed response (23) Sent Access-Reject Id 40 from 127.0.0.1:1812 to 127.0.0.1:41089 length 20 Waking up in 3.9 seconds. (23) Cleaning up request packet ID 40 with timestamp +2281