Hi Olivier, Have a look in your authorize section... You should have this in your authorize section too (*after* the 'pap' line, which should be active): if (&request:User-Password) { update control { Auth-Type = ldap } } Note that the operator is '=', not ':='. This means that an Auth-Type is only set when none exists. The message about the server no longer authenticating cleartext passwords in the User-Password attribute only refers to entries in the 'users' file or other backends (such as databases). AFAIK, RADIUS protocol will always continue to send User-Password, which the PAP module (and others) will decode based on what they find in it. Given that your Access-Request packet does contain User-Password, I suspect it's the fact that you don't set an Auth-Type with unlang that it fails. V3 is much more powerful and flexible (but stricter). :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.