Greetings all, Instead of auth'ing a user on the 'User-Name' / 'Cleartext-Password' method we are using the 'Caller-Station-Id' with a blank password. ... # /etc/freeradius/sql/mysql/dialup.conf sql_user_name = "%{Calling-Station-Id}" ... We are using a mysql backend Here are a few challenges that came up: Using PAP: * The blank password transmitted is picked up by the RADIUS as "void" (an actual string value of 4 charaters) * To authenticate the 'blank password' the radcheck is set to [ user123 | Cleartext-Password | := | void] * Here are snippets of a successful connection ... rad_recv: Access-Request packet from host x.x.x.x port 57772, id=75, length=156 User-Name = "void" User-Password = "void" NAS-IP-Address = x.x.x.x NAS-Identifier = "rbggs2" Called-Station-Id = "apn.xxx.net" Framed-Protocol = GPRS-PDP-Context Service-Type = Framed-User NAS-Port-Type = Virtual NAS-Port = 230647144 Calling-Station-Id = "00121231234" 3GPP-PDP-Type = 0 3GPP-SGSN-Address = x.x.x.x 3GPP-GGSN-Address = x.x.x.x +- entering group authorize {...} ... ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "void" [pap] Using clear text password "void" [pap] User authenticated successfully ++[pap] returns ok expand: The elders of the internet have granted you access -> The elders of the internet have granted you access Login OK: [void/void] (from client XXX_APN port 230647144 cli 00121231234) The elders of the internet have granted you access +- entering group post-auth {...} ... Using CHAP: * The blank password transmitted is picked up by the RADIUS as a challenge * To authenticate the 'blank password' the radcheck is set to [ user123 | Cleartext-Password | := | "" ] * Here are snippets of a successful connection rad_recv: Access-Request packet from host x.x.x.x port 50312, id=67, length=175 User-Name = "void" CHAP-Challenge = 0x48e2fc18c8f16b825cc4ce7c06b4bdea CHAP-Password = 0x012a6931a816773e44873124ecd7701e57 NAS-IP-Address = x.x.x.x NAS-Identifier = "rbggs2" Called-Station-Id = "apn.xxx.net" Framed-Protocol = GPRS-PDP-Context Service-Type = Framed-User NAS-Port-Type = Virtual NAS-Port = 123703984 Calling-Station-Id = "00121231234" 3GPP-PDP-Type = 0 3GPP-SGSN-Address = x.x.x.x 3GPP-GGSN-Address = x.x.x.x +- entering group authorize {...} ... ++[logintime] returns noop [pap] No clear-text password in the request. Not performing PAP. ++[pap] returns noop WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. CHAP-Password is correct. expand: The elders of the internet have granted you access -> The elders of the internet have granted you access Login OK: [void/<CHAP-Password>] (from client XXX_APN port 100795256 cli 00121231234) The elders of the internet have granted you access +- entering group post-auth {...} ... Is the transmission of the 'blank password' the responsibility of the NAS or can the password be manipulated in the FR settings / configs? Thanks Wynand