I am running Freeradius 2.1.12 on a Centos box. I am able to authenticate from the server command line, and from a Cisco ASR1k BRAS via the command line. However, when I attempt to authenticate customers from the DSL network, I get a reject, even though the crypt'd passwords match! Here is a sample from a trace: rad_recv: Access-Request packet from host 204.111.5.9 port 1645, id=235, length=89 Framed-Protocol = PPP User-Name = "k143rott" User-Password = "k*****" NAS-Port-Type = Virtual NAS-Port = 0 NAS-Port-Id = "0/0/0/304" Service-Type = Framed-User NAS-IP-Address = 204.111.5.9 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "k143rott", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "k143rott" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated [files] users: Matched entry DEFAULT at line 169 [files] users: Matched entry DEFAULT at line 172 [files] users: Matched entry DEFAULT at line 186 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "krt444" [pap] Using CRYPT password "*3u.3LS/VKTOVc" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Login incorrect (rlm_pap: CRYPT password check failed): [k143rott/k*****] (from client va-edbg-bras-1 port 0) Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> k143rott attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 30 for 1 seconds Going to the next request Sending delayed reject for request 21 Sending Access-Reject of id 227 to 204.111.5.9 port 1645 The crypt'd password ("*3u.3LS/VKTOVc") is exactly what is in the /etc/shadow file. So I am confident the shared secret is correct. What am I doing wrong? -- Haskins Family Farm Middletown, VA web: http://www.haskinsfamilyfarm.com FB: http://www.facebook.com/pages/Middletown-VA/Haskins-Family-Farm/114984971161