am trying to setup what I thought should be a fairly simple Freeradius configuration but I am having problems. Simply put I would like FreeRadius to authenticate against our LDAP servers and look into a couple groups to see if the user is authorized. I would also like to have redundant ldap servers so that if one went down for maintenance or other reasons users could still authenticate. I can get Freeradius to work with one LDAP server, but when I try to implement the redundant I have not had any success. According to the debug log, it is find the group the user belongs to correctly, but instead of setting the Auth-Type to LDAP it is setting it to PAP and rejecting. When I configure the system for one LDAP server to Auth-Type is LDAP and everything works. It is probably something simple that I am missing, and would appreciate any suggestions. I have included the debug log below and the configuration files, I have removed all the comments out of the configuration files to be under the 100k size restriction for the list. Thanks Output from request in debugging mode: rad_recv: Access-Request packet from host 127.0.0.1 port 47611, id=245, length=60 User-Name = "testuser" User-Password = "testpassword" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated [ldap-server1] Entering ldap_groupcmp() [files] expand: ou=people,o=test,o=isp -> ou=people,o=test,o=isp [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> testuser [files] expand: (uid=%{%{Stripped-User-Name}:- %{User-Name}}) -> (uid=testuser) [ldap-server1] ldap_get_conn: Checking Id: 0 [ldap-server1] ldap_get_conn: Got Id: 0 [ldap-server1] attempting LDAP reconnection [ldap-server1] (re)connect to ldapserver.somedomain.com:389, authentication 0 [ldap-server1] bind as uid=testuser, ou=people, o=test, o=isp/testpassword to ldapserver.somedomain.com:389 [ldap-server1] waiting for bind result ... [ldap-server1] Bind was successful [ldap-server1] performing search in ou=people,o=test,o=isp, with filter (uid=testuser) [ldap-server1] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquem ember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=uid\3dtestuser\2cou\3dpeople\2co\3dtest\2co\3disp))(&(o bjectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser\2cou\3dpeople\2co\3dtest\2co\3disp))) [ldap-server1] ldap_get_conn: Checking Id: 0 [ldap-server1] ldap_get_conn: Got Id: 0 [ldap-server1] performing search in cn=DialupFS,ou=Groups,o=test,o=isp, with filter (|(&(objectClass=GroupOfNames)(member=uid\ 3dtestuser\2cou\3dpeople\2co\3dtest\2co\3disp))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser\2cou\3dpeople\2co\ 3dtest\2co\3disp))) rlm_ldap::ldap_groupcmp: User found in group cn=DialupFS,ou=Groups,o=test,o=isp [ldap-server1] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 166 ++[files] returns ok ++- entering policy redundant {...} [ldap-server1] performing user authorization for testuser [ldap-server1] expand: %{Stripped-User-Name} -> [ldap-server1] ... expanding second conditional [ldap-server1] expand: %{User-Name} -> testuser [ldap-server1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testuser) [ldap-server1] expand: ou=people,o=test,o=isp -> ou=people,o=test,o=isp [ldap-server1] ldap_get_conn: Checking Id: 0 [ldap-server1] ldap_get_conn: Got Id: 0 [ldap-server1] performing search in ou=people,o=test,o=isp, with filter (uid=testuser) [ldap-server1] looking for check items in directory... [ldap-server1] sambaNtPassword -> NT-Password == 0x4234354137334235383034463441323531343346353339333433413430363642 [ldap-server1] sambaLmPassword -> LM-Password == 0x3036323444434332394538433236434346463137333635464146314646453839 [ldap-server1] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap-server1] user testuser authorized to use remote access [ldap-server1] ldap_release_conn: Release Id: 0 +++[ldap-server1] returns ok ++- policy redundant returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "testpassword" [pap] Using CRYPT encryption. [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 245 to 127.0.0.1 port 47611 Reply-Message = "FS User Authorized" Waking up in 4.9 seconds. Cleaning up request 0 ID 245 with timestamp +48 Ready to process requests. Default File: authorize { preprocess chap mschap User File: DEFAULT ldap-server1-Ldap-Group == "cn=DialupFS,ou=Groups,o=test,o=isp" Reply-Message = "FS User Authorized" DEFAULT ldap-server1-Ldap-Group == "cn=DialupST,ou=Groups,o=test,o=isp" Reply-Message = "ST User Authorized" DEFAULT ldap-server2-Ldap-Group == "cn=DialupFS,ou=Groups,o=test,o=isp" Reply-Message = "FS User Authorized" DEFAULT ldap-server2-Ldap-Group == "cn=DialupST,ou=Groups,o=test,o=isp" Reply-Message = "ST User Authorized" DEFAULT Auth-Type := Reject Reply-Message = "User Not Authorized" DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP ldap module file: ldap ldap-server1 { server = "ldapserver.somedomain.com" identity = "uid=raduser, ou=people, o=test, o=isp" password = testpassword basedn = "ou=people,o=test,o=isp" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueName s)( uniquemember=%{control:Ldap-UserDn})))" } ldap ldap-server2 { server = "ldapserver2.somedomain.com" identity = "uid=raduser, ou=people, o=test, o=isp" password = testpassword basedn = "ou=people,o=test,o=isp" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueName s)( uniquemember=%{control:Ldap-UserDn})))" } The radiusd.conf file: prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct name = radiusd confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = ${exec_prefix}/lib pidfile = ${run_dir}/${name}.pid max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 } listen { ipaddr = * port = 0 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf } instantiate { exec expr ldap-server1 ldap-server2 expiration logintime } $INCLUDE policy.conf $INCLUDE sites-enabled/ suffix eap { ok = return } unix files redundant { ldap-server1 ldap-server2 } expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { redundant { ldap-server1 ldap-server2 } } eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp attr_filter.accounting_response } session { radutmp } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap }