So I guess I missed something completely or its not possible to have a username ONLY listed in Radcheck with Crypt-Password and authenticate that user?
Does the username really need to be be in both the UserGroup table and Radcheck table for a crypt-password method to work?
No, it's got nothing to do with the specifics of the tables they're in, just the specific of what config items are added by the modules (in this case SQL). Obviously if you remove the user from the group which is setting Auth-Type to the right value, it will stop working. The user has to have Auth-Type set to an appropriate value to execute an appropriate module. The "Local" auth-type is effectively a kind of built-in pap module with some kind of odd heuristic guessing of what type of auth to do, where to get the passwords from, and so forth. You are much better off in my opinion using the pap module. Auth-Type being Local does not do that. Auth-Type being "PAP" and a section in authenticate like: authenticate { Auth-Type PAP { pap } } ...does