Hi, First of all, sorry for my bad english. I have installed Freeradius (Version: 2.2.5+dfsg-0.2) on Debian 8.3 to authenticate users via our LDAP. I face an issue when i perform this radtest : /radtest toto "totopassword" 127.0.0.1 18120 "clientpassword"/ Here is the freeradius -X debug : rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111, length=48 Sending duplicate reply to client localhost port 44928 - ID: 111 Sending Access-Reject of id 111 to 127.0.0.1 port 44928 Waking up in 2.9 seconds. Cleaning up request 2 ID 111 with timestamp +114 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 44928, id=111, length=48 User-Name = "toto" User-Password = "Ғ\325\354R\010\r\035\303b\230Fo8đ" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[mschap] = noop [suffix] No '@' in User-Name = "toto", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop ++[files] = noop ++group { [ldap_1] performing user authorization for toto [ldap_1] expand: %{Stripped-User-Name} -> [ldap_1] ... expanding second conditional [ldap_1] expand: %{User-Name} -> toto [ldap_1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=toto) [ldap_1] expand: ou=Users,dc=XXXX,dc=fr -> ou=Users,dc=XXXX,dc=fr [ldap_1] ldap_get_conn: Checking Id: 0 [ldap_1] ldap_get_conn: Got Id: 0 [ldap_1] performing search in ou=Users,dc=XXXX,dc=fr, with filter (uid=toto) [ldap_1] checking if remote access for toto is allowed by uid [ldap_1] No default NMAS login sequence [ldap_1] looking for check items in directory... [ldap_1] sambaNtPassword -> NT-Password == 0x3344424445363937443731363930413736393230344245423132323833363738 [ldap_1] sambaLmPassword -> LM-Password == 0x4343463931353545334537444234353341414433423433354235313430344545 [ldap_1] userPassword -> Cleartext-Password == "{MD5}ICy5YqxZB1uWSwcVLSNLcA==" [ldap_1] userPassword -> Password-With-Header == "{MD5}ICy5YqxZB1uWSwcVLSNLcA==" [ldap_1] sambaNtPassword -> NT-Password == 0x3344424445363937443731363930413736393230344245423132323833363738 [ldap_1] sambaLmPassword -> LM-Password == 0x4343463931353545334537444234353341414433423433354235313430344545 [ldap_1] looking for reply items in directory... [ldap_1] user toto authorized to use remote access [ldap_1] ldap_release_conn: Release Id: 0 +++[ldap_1] = ok ++} # group = ok ++[expiration] = noop ++[logintime] = noop +} # group authorize = ok WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request does NOT match "known good" password. Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! } # server inner-tunnel Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> toto attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 3 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 3 Sending Access-Reject of id 111 to 127.0.0.1 port 44928 Waking up in 4.9 seconds. Cleaning up request 3 ID 111 with timestamp +120 Ready to process requests. The user and client passwords are correct and i don't understand the following errors : WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request does NOT match "known good" password. Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Thank you for your replies. Cordialement, - - Benjamin Dupalut Administrateur système et réseau Service des Moyens Informatiques Généraux (SMIG) ESIEE Paris 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex T : +33 1 45 92 66 17 benjamin.dupalut@esiee.fr www.esiee.fr / www.cci-paris-idf.fr