Hello... At the dawn of time, I set up a FreeRADIUS 2.x server with an openLDAP backend for use with my Apple access points. This has worked for years. I am now trying to make the same confuguration with FreeRADIUS 3.0.12 in a FreeBSD jail. Unfortunately, I can not make it work. Testing pap works: radtest -x -t pap .... Testing mschap works: radtest -x -t mschap .... I have NTpasswords in my ldap-database, and FreeRADIUS picks them up. I just don't unerstand why access is not beeing granted by the access points. I have pasted the lengthy log of a failed attempt here: https://pastebin.com/CLqegYRe It looks to me like this is where it goes wrong: ... ... (18) files: Performing search in "dc=services,o=kontrapunkt,dc=example,dc=com" with filter "(&(cn=kp-vpn-cph)(objectC" (18) files: Waiting for search result... (18) files: User found in group object "dc=services,o=kontrapunkt,dc=example,dc=com" rlm_ldap (ldap): Released connection (4) (18) files: users: Matched entry DEFAULT at line 63 (18) [files] = ok rlm_ldap (ldap): Reserved connection (0) (18) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (18) ldap: --> (uid=bj) (18) ldap: Performing search in "o=kontrapunkt,dc=example,dc=com" with filter "(uid=bj)", scope "sub" (18) ldap: Waiting for search result... (18) ldap: User object found at DN "uid=bj,ou=people,l=copenhagen,c=dk,o=kontrapunkt,dc=example,dc=com" (18) ldap: Processing user attributes (18) ldap: control:Password-With-Header += '{CRYPT}$*****' (18) ldap: control:NT-Password := 0x3437413634423334324442384133314330313831413644453134393237413931 rlm_ldap (ldap): Released connection (0) (18) [ldap] = updated (18) [expiration] = noop (18) [logintime] = noop (18) pap: Converted: &control:Password-With-Header -> &control:Crypt-Password (18) pap: Removing &control:Password-With-Header (18) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes (18) pap: WARNING: Auth-Type already set. Not setting to PAP (18) [pap] = noop (18) } # authorize = updated (18) Found Auth-Type = Reject (18) Auth-Type = Reject, rejecting user (18) Failed to authenticate the user (18) Using Post-Auth-Type Reject (18) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (18) Post-Auth-Type REJECT { (18) attr_filter.access_reject: EXPAND %{User-Name} (18) attr_filter.access_reject: --> bj (18) attr_filter.access_reject: Matched entry DEFAULT at line 11 (18) [attr_filter.access_reject] = updated (18) update outer.session-state { (18) No attributes updated (18) } # update outer.session-state = noop (18) } # Post-Auth-Type REJECT = updated (18) } # server inner-tunnel (18) Virtual server sending reply ... ... Thank you, Tobias