I don't understand what is happening to the password as I can see it correctly in the access request. I also would have expected to see the password on this line just before the error: (0) Auth-Type PAP { (0) pap : Login attempt with password [SHOULDN'T THE PASSWORD BE HERE??? IT IS NOT] Here is the full output (minus the IP addresses): Received Access-Request Id 8 from X:18852 to X:1812 length 107 User-Name = '20c9d081bcc3' User-Password = '20c9d081bcc3' NAS-Identifier = '58-B6-33-1A-7D-20' NAS-IP-Address = X Service-Type = Login-User NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0xafa4b69194ca031fd61fa4c300b0198c (0) Received Access-Request packet from host X port 18852, id=8, length=107 (0) User-Name = '20c9d081bcc3' (0) User-Password = '20c9d081bcc3' (0) NAS-Identifier = '58-B6-33-1A-7D-20' (0) NAS-IP-Address = X (0) Service-Type = Login-User (0) NAS-Port-Type = Wireless-802.11 (0) Message-Authenticator = 0xafa4b69194ca031fd61fa4c300b0198c (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (!&User-Name) (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\\.\\./ ) (0) if (&User-Name =~ /\\.\\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\\.$/) (0) if (&User-Name =~ /\\.$/) -> FALSE (0) if (&User-Name =~ /@\\./) (0) if (&User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) sql : EXPAND %{User-Name} (0) sql : --> 20c9d081bcc3 (0) sql : SQL-User-Name set to '20c9d081bcc3' rlm_sql (sql): Reserved connection (4) (0) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql : --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '20c9d081bcc3' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = '20c9d081bcc3' ORDER BY id' (0) sql : User found in radcheck table (0) sql : Check items matched (0) sql : EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql : --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '20c9d081bcc3' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radreply WHERE username = '20c9d081bcc3' ORDER BY id' (0) sql : User found in radreply table (0) sql : EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql : --> SELECT groupname FROM radusergroup WHERE username = '20c9d081bcc3' ORDER BY priority rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = '20c9d081bcc3' ORDER BY priority' (0) sql : User not found in any groups rlm_sql (sql): Released connection (4) (0) [sql] = ok (0) if (notfound) (0) if (notfound) -> FALSE (0) expiration : Account will expire at 'May 12 2016 13:00:00 UTC' (0) [expiration] = ok (0) if (userlock) (0) if (userlock) -> FALSE (0) [logintime] = noop (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Auth-Type PAP { (0) pap : Login attempt with password *(0) ERROR: pap : Cleartext password does not match "known good" password* (0) pap : Passwords don't match (0) [pap] = reject (0) } # Auth-Type PAP = reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject : EXPAND %{User-Name} (0) attr_filter.access_reject : --> 20c9d081bcc3 (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response Waking up in 3.9 seconds. (0) Cleaning up request packet ID 8 with timestamp +6 of note: records in the mysql radcheck table related to the user | 54 | 20C9D081BCC3 | Expiration | := | 12 May 2016 13:00 | | 55 | 20C9D081BCC3 | Cleartext-Password | := | 20C9D081BCC3 | | 56 | 20C9D081BCC3 | Site-Id | := | LAB |