Greetings~ We are using FreeRadius 2.1.3 (on snow leopard server). All users are authenticating with vlan assignments correctly; however, if you enable the ldap/(opendirectory) option to "require user to change password on next login" the client is unable to connect. The client login screen will not proceed to prompt the user for a new password; it's simply rejected. If you remove the password policy forcing a password reset, then the user can authenticate. In other words, it appears radius (mschap / ntlm_auth) is specifically rejecting the user if the user has a password reset flag set. Here is a snippet from the radius server debug log: Failed auth: ======= Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] No NT-Password configured. Trying OpenDirectory Authentication. [mschap] OD username_string = adouglas, OD shortUserName=adouglas (length = 8) rlm_mschap: authentication failed -14161 ++[mschap] returns reject Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "142" [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> adouglas attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 15 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 15 Sending Access-Reject of id 245 to 10.0.200.3 port 53907 EAP-Message = 0x04030004 Message-Authenticator = 0x00000000000000000000000000000000 ======= Success auth: ======= Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] No NT-Password configured. Trying OpenDirectory Authentication. [mschap] OD username_string = adouglas, OD shortUserName=adouglas (length = 8) [mschap] dsDoDirNodeAuth returns stepbuff: S=67322D06B7A0A7BB9EBC681EAAEE6FB197CDDCB2 (len=40) ++[mschap] returns ok } # server inner-tunnel [ttls] Got tunneled reply code 2 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "142" MS-CHAP2-Success = 0xa9533d36373332324430364237413041374242394542433638314541414545364642313937434444434232 [ttls] Got tunneled Access-Accept ======= One last thing to note, if we specifically allow all users to authenticate (as described in the FAQ with DEFAULT AuthType := Accept), the client login screen will proceed to prompt the user to update a new password. Is there a way to handle password policies (either by ignoring it during mschap, or adding a pre/post filter of some sort)? Any help would greatly be appreciated, thanks in advance, --jsmith