Hello everyone, I would like to receive some help on authentication with AD using CHAP Passwords. I´ve already configured the radius (v 2.1.6) to authenticate in the AD (Microsoft) using LDAP and clear-text passwords, until now it works perfectly, but in the radius debug appear the following message: rad_recv: Access-Request packet from host 192.168.0.100 port 64871, id=7, length=50 User-Name = "1000700025" User-Password = "123456" +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "1000700025", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ldap] performing user authorization for 1000700025 [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> (sAMAccountName=1000700025) [ldap] expand: dc=pedagogico,dc=net -> dc=pedagogico,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 172.17.16.4:389, authentication 0 rlm_ldap: bind as wni@pedagogico.net/wni@2009 to 172.17.16.4:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=pedagogico,dc=net, with filter (sAMAccountName=1000700025) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... è WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? ç [ldap] Setting Auth-Type = LDAP [ldap] user 1000700025 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = LDAP +- entering group LDAP {...} [ldap] login attempt by "1000700025" with password "123456" [ldap] user DN: CN=LUIZ RICARDO DE VILLA SCANDELARI,OU=Users,OU=UNIFAE,OU=Users and Computers,DC=PEDAGOGICO,DC=NET rlm_ldap: (re)connect to 172.17.16.4:389, authentication 1 rlm_ldap: bind as CN=LUIZ RICARDO DE VILLA SCANDELARI,OU=Users,OU=UNIFAE,OU=Users and Computers,DC=PEDAGOGICO,DC=NET/123456 to 172.17.16.4:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful [ldap] user 1000700025 authenticated succesfully ++[ldap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 7 to 192.168.0.100 port 64871 Finished request 0. I suppose that happens because I cannot read the AD user password, right? The important is that works with LDAP authentication. The problem is that I have a system that sends Access-Requests with Username and CHAP-Passwords (CoovaChilli), so radius authorize the user but cannot authenticate it. I´ve already read the Allan´s webpage (http://deployingradius.com/documents/configuration/active_directory.html) about integration of AD and RADIUS but I still have some questions. Can I use CHAP with SAMBA ntlm_auth method or should i need to change the password encryption to another protocol such as PAP or MS-CHAP? If I modify the coovachilli to send PAP passwords, am I going to be able to use ldap for authorization and authentication or do I need just plain? I hope somebody can help me. Thanks, LUIZ GUSTAVO SCANDELARI Skype: luiz.gustavo.wni