I recently upgraded from FR 2.2.5 to FR 3.0.12 as part of an upgrade from Debian jessie to stretch. The config had to be migrated manually, which went mostly without problems. But there was one config pattern I have been unable to figure out how to handle in FR 3.x: I use the unix module to load crypt passwords for a few system users. But there are also some unix users without any Unix password, which should exist as RADIUS users. "no Unix password" means that the users have a /etc/shadow entry which cannot be matched. So I need to ignore the Crypt-Password attribute for these users. In FR 2.x I explicitly set the Auth-Type to foribly ignore the invalid Crypt-Password, like this: luser Cleartext-Password := "foo", Auth-Type := Local But FR 3.x refused to accept Auth-Type "Local". So I tried to modify the entry to luser Cleartext-Password := "foo" in the hope that the pap module would be smart enough to figure out that the Cleartext-Password should override the invalid Crypt-Password. It was not. Being unable to figure out the smart way, I just took the simple route out by doing luser User-Password == "foo", Auth-Type := Accept But this is a bit ugly and rightfully cause warnings like Tue Jun 6 15:05:03 2017 : Warning: Found User-Password == "..." Tue Jun 6 15:05:03 2017 : Warning: Are you sure you don't mean Cleartext-Password? Tue Jun 6 15:05:03 2017 : Warning: See "man rlm_pap" for more information so I'd really like to figure out a better way. Is there a smart way to override a Crypt-Password per user in FR 3.x? I guess I could generate crypted passwords from the cleartext passwords and simply override Crypt-Password in the users file. But that does not seem much nicer than the current User-Password match to me. What I really want is to be able to say "use this Cleartext-Password no matter what". Bjørn