What we would like to do is this: Take this request: User-Name = "6064191111@evdo.myawi.net" CHAP-Password = 0x59db2896a9629a7a1296e8e3dc7751da58 NAS-IP-Address = 10.130.2.1 CHAP-Challenge = 0x022074534be2e8405c867f676b46b432 3GPP2-Attr-60 = 0x00000001 3GPP2-Attr-61 = 0x0106000000010209a0000029275c41 Message-Authenticator = 0x01f9054690c3a469fa1bf824dfba3bbe Proxy-State = 0x3136 And instead of using chap to authenticate the user, we take the 3GPP2-Attr-61, convert it to the password we want, set it into the cleartext-password, and have the sql module query the DB for that new password. Here is the perl code that we run prior to the pap module: $retattr .= "Cleartext-Password := $meid"; $retattr .= ", CHAP-Password :=\"\" , CHAP-Challenge :=\"\" "; $retattr .= ", Auth-Type := PAP "; We return the retattr to freeradius. Here is the output: Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} [preprocess] expand: %{NAS-IP-Address} -> 10.130.2.1 [preprocess] expand: %{NAS-IP-Address} -> 10.130.2.1 ++[preprocess] returns ok [evdoesn] expand: %{User-Name} -> 6064191111@evdo.myawi.net Exec-Program output: Cleartext-Password := 268435460102579521, CHAP-Password :="" , CHAP-Challenge :="" , Auth-Type := PAP Exec-Program-Wait: value-pairs: Cleartext-Password := 268435460102579521, CHAP-Password :="" , CHAP-Challenge :="" , Auth-Type := PAP Exec-Program: returned: 0 ++[evdoesn] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.55.42.32/auth-detail-20130118 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.55.42.32/auth-detail-20130118 [auth_log] expand: %t -> Fri Jan 18 11:06:43 2013 ++[auth_log] returns ok [sql] expand: %{User-Name} -> 6064191111@evdo.myawi.net [sql] sql_set_user escaped user --> '6064191111@evdo.myawi.net' rlm_sql (sql): Reserving sql socket id: 50 [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '6064191111@evdo.myawi.net' ORDER BY id rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '6064191111@evdo.myawi.net' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 5 WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [sql] User found in radcheck table [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '6064191111@evdo.myawi.net' ORDER BY id rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '6064191111@evdo.myawi.net' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 5 [sql] expand: SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM usergroup WHERE UserName='6064191111@evdo.myawi.net' rlm_sql_postgresql: query: SELECT GroupName FROM usergroup WHERE UserName='6064191111@evdo.myawi.net' rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 [sql] expand: SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op FROM radgroupcheck, usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id -> SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op FROM radgroupcheck, usergroup WHERE usergroup.Username = '6064191111@evdo.myawi.net' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op FROM radgroupcheck, usergroup WHERE usergroup.Username = '6064191111@evdo.myawi.net' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 5 [sql] User found in group evdo [sql] expand: SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, radgroupreply.Value, radgroupreply.Op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id -> SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, radgroupreply.Value, radgroupreply.Op FROM radgroupreply,usergroup WHERE usergroup.Username = '6064191111@evdo.myawi.net' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql_postgresql: query: SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, radgroupreply.Value, radgroupreply.Op FROM radgroupreply,usergroup WHERE usergroup.Username = '6064191111@evdo.myawi.net' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 5 rlm_sql (sql): Released sql socket id: 50 ++[sql] returns ok [pap] No clear-text password in the request. Not performing PAP. ++[pap] returns noop !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. CHAP-Password is incorrect. Failed to authenticate the user. Login incorrect: [6064191111@evdo.myawi.net/<CHAP-Password>] (from client radius08 port 0) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default -- regards, Joseph