special thx to phil and alex for inital help testing FR with password change. With some help today, I managed to download, compile and install the latest copy of FR source code on centOS server. I cannot however get a password change prompt to appear on my calling-station device. any ideas? I am running this in test lab with cisco ASA, which is sending MS-CHAPv2 request to FR server, as some debug output shows: MS-CHAP-Challenge = 0x0d786b3e916d7e (shortened) MS-CHAP2-Response = 0x008ebeb5e7b5 (shortened) My local user account in users file is configured with NT-LM Hash, and set to expire: wrichmond NT-Password :="64f12cddaa88057e06a81b54e73b949b", Expiration :="Dec 04 1994" I can login fine when Expiration filed is commented out. I have configured dictionary file for password expiration: VALUE Server-Config Password-Expiration 30 VALUE Server-Config Password-Warning 5 When I send AUTH request, I am denied login, with an account password is expired message. I should get a prompt on my calling-station device to change password. The cisco ASA is configure with password-management: tunnel-group TG_VPN_1 general-attributes default-group-policy GPOL_1 password-management password-expire-in-days 5 On FR server, I get this debug output: rad_recv: Access-Request packet from host 2.2.2.2 port 1025, id=28, length=217 User-Name = "wrichmond" NAS-Port = 188416 Called-Station-Id = "3.3.3.3" Calling-Station-Id = "1.1.1.1" NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = "1.1.1.1" MS-CHAP-Challenge = XXXXXXXXXXXXXXXXXXXX MS-CHAP2-Response = XXXXXXXXXXXXXXXXXXXXXX NAS-IP-Address = 2.2.2.2 Cisco-AVPair = "ip:source-ip=1.1.1.1" (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) group authorize { (0) - entering group authorize {...} (0) [preprocess] = ok (0) [chap] = noop (0) mschap : Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) [digest] = noop (0) suffix : No '@' in User-Name = "wrichmond", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : No EAP-Message, not doing EAP (0) [eap] = noop (0) files : users: Matched entry wrichmond at line 76 (0) [files] = ok (0) expiration : Checking Expiration time: 'ÐLá.04 1994' (0) expiration : Account has expired (0) expiration : expand: Password Has Expired -> Password Has Expired (0) [expiration] = userlock (0) Using Post-Auth-Type Reject (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) group REJECT { (0) - entering group REJECT {...} (0) attr_filter.access_reject : expand: %{User-Name} -> wrichmond (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) - entering policy remove_reply_message_if_eap {...} (0) ? if (reply:EAP-Message && reply:Reply-Message) (0) ? Evaluating (reply:EAP-Message ) -> FALSE (0) ? Skipping (reply:Reply-Message) (0) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE (0) else else { (0) - entering else else {...} (0) [noop] = noop (0) - else else returns noop (0) - policy remove_reply_message_if_eap returns noop (0) Finished request 0.