Thank you Stefan,
Have a look in your authorize section... You should have this in your authorize section too (*after* the 'pap' line, which should be active):
if (&request:User-Password) { update control { Auth-Type = ldap } }
I used if ((&request:User-Password) && (Client-IP-Address == "192.41.170.3")) { update control { Auth-Type = LDAPFIREWALL Ldap-UserDN = "uid=%{User-Name},ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th" } } instead, and it works fine. I can customize it by client IP (having different instances of the ldap module, with different filters). It seems to work even is authorize pap has been disabled...
Note that the operator is '=', not ':='. This means that an Auth-Type is only set when none exists.
The message about the server no longer authenticating cleartext passwords in the User-Password attribute only refers to entries in the 'users' file or other backends (such as databases). AFAIK, RADIUS protocol will always continue to send User-Password, which the PAP module (and others) will decode based on what they find in it.
Given that your Access-Request packet does contain User-Password, I suspect it's the fact that you don't set an Auth-Type with unlang that it fails.
V3 is much more powerful and flexible (but stricter).
Indeed. I am left with a warning: (0) [ldap_firewall] = ok (0) } # Auth-Type LDAPFIREWALL = ok (0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) reply_log: EXPAND /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d (0) reply_log: --> /var/log/radacct/192.41.170.3/reply-detail-20170921 (0) reply_log: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/radacct/192.41.170.3/reply-detail-20170921 (0) reply_log: WARNING: Skipping empty packet (0) [reply_log] = ok I am not sure how to eliminate this "WARNING: Skipping empty packet". Best regards, Olivier