Dear Good Peoples Greetings Version Information: FreeRADIUS 2.2.0. Question: What does the following means? Is it not authentication area in "default" virtual server? i have listed "ldap" there. 1.) rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section. 2.) i have one Linux open-ldap server, FreeRADIUS Auth works from that LDAP server, with following configuration. Please note, the passport storage in destination Linux LDAP Server is cleartext. i do check using the following command. * radtest mike aabb88@ localhost 1812 HYbbunINFDR$88 * # CentOS Open-ldap Server server = "ldapserver-mydomain.net<http://ldap.digital-infotech.net/> " identity = "cn=Administrator,dc=ldap-mydomain,dc=net" password = "password" basedn = "dc=mydomain,dc=net" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" i receive, access Accept !!! - NO problem 3.) When i do user query from FreeRADIUS to Windows Domain Controller Server 2012 x64. # Windows Domain Controller Server 2012 64-Bit AD server = "ldap-mydomain.com <http://ldap-teledataict.com/>" identity = "cn=Administrator,cn=Users,dc=ldap-mydomain,dc=com" password = "password" basedn = "dc=ldap-mydomain,dc=com" # Enable One Filter Only #filter = "(SamAccountName=%u)" filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" 3a) Following is the out-put with REJECT access, Perhaps because password storage in AD is not clear text, is it due to that? Perhaps it cannot be tested with redtest? i am using the following to test, is it correct test * radtest mike aabb88@ localhost 1812 HYbbunINFDR$88* 4.) rad_recv: Access-Request packet from host 127.0.0.1 port 46861, id=137, length=75 User-Name = "mike" User-Password = "aabb88@" NAS-IP-Address = 14.14.14.14 NAS-Port = 1812 Message-Authenticator = 0x4a3417dcf9e80de96f2274fbfa6f5c4d # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "mike", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] performing user authorization for mike [ldap] expand: (SamAccountName=%u) -> (SamAccountName=mike) [ldap] expand: dc=ldap-teledataict,dc=com -> dc=ldap-teledataict,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to ldap-mydomain.net:389<http://ldap-teledataict.com:389/>, authentication 0 [ldap] bind as cn=Administrator,cn=Users,dc=ldap-teledataict,dc=com/rootadmin to ldap-mydomain.net:389 <http://ldap-teledataict.com:389/> [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=ldap-teledataict,dc=com, with filter (SamAccountName=mike) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user mike authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[dailycounter] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[forevertimecounter] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[gigawordcounter] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/auth_all +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> mike attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 137 to 127.0.0.1 port 46861 Waking up in 4.9 seconds. Cleaning up request 0 ID 137 with timestamp +3 Ready to process requests. Thanks / Regards