This is a snippet from radiusd -X rad_recv: Access-Request packet from host 192.166.0.10:1645, id=216, length=78 NAS-IP-Address = 192.166.0.10 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "daveg" Calling-Station-Id = "192.166.0.231" User-Password = "abcdef" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "daveg", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 0 My users file is just: DEFAULT Auth-Type == "PAP" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 1 there should be no match on line 1 because the check item doesn't match. I get the same match if I change PAP to EAP, is this a bug?