Hi,
Would like to know why Free Radius is putting the user configuration data in Access Challenge ?
as per attrs.access_challenge # This configuration file is used to remove almost all of the # attributes From an Access-Challenge message. The RFC's say # that an Access-Challenge packet can contain only a few # attributes. We enforce that here. # DEFAULT EAP-Message =* ANY, State =* ANY, Message-Authenticator =* ANY, Reply-Message =* ANY, Proxy-State =* ANY, Session-Timeout =* ANY, Idle-Timeout =* ANY this would suggest strongly that you arent actually USING this filter to follow the RFCs that you are so strongly advocating in your post - this filter file is define in modules/attrs attr_filter attr_filter.access_challenge { key = %{User-Name} attrsfile = ${confdir}/attrs.access_challenge } now....read the sites-enabled/default as provided with the server, scroll down to the 'eap' authentication and then you'll see the next 12 lines have the bit that will enable this filter. its commented out by default because its an RFC that not many people care about (having seen junk from IAS/NPS and ACS, FreeRADIUS is already *quite* RFC compliant without tis extra bit of OCD ;-) alan