Hello list, Radius authentication works fine. The problem is after, when my radiusclient/application sends another radius Access-Request message but without the User-Password field and freeradius complains that it requires it since we are using Digest. What the radiusclient is trying to do is find out if a user (in this case 1000) belongs to a specific group. In /etc/raddb/users file I have the following at line 152: DEFAULT Auth-Type = System Fall-Through = 1 DEFAULT Service-Type == Group-Check, Auth-Type := None DEFAULT Service-Type == SIP-Callee-AVPs, Auth-Type := None ----- These are mysql tables: +----+----------+-----------+----+----------+ | id | UserName | Attribute | op | Value | +----+----------+-----------+----+----------+ | 1 | Jhassell | Password | == | changeme | | 2 | Rneis | Password | == | changeme | | 3 | 1000 | Password | == | 1000 | | 4 | 2000 | Password | == | 2000 | | 5 | 3000 | Password | == | 3000 | | 8 | 1000 | Auth-Type | := | Digest | +----+----------+-----------+----+----------+ +----+-----------+-----------+----+--------+ | id | GroupName | Attribute | op | Value | +----+-----------+-----------+----+--------+ | 6 | Dialin | Auth-Type | := | Accept | +----+-----------+-----------+----+--------+ +----+-----------+---------------+----+----------------------------------+-- ----+ | id | GroupName | Attribute | op | Value | prio | +----+-----------+---------------+----+----------------------------------+-- ----+ | 1 | Dialin | Reply-Message | = | "Authenticated by group Dialin" | 0 | | 2 | Dialin2 | Reply-Message | = | "Authenticated by group Dialin2" | 0 | +----+-----------+---------------+----+----------------------------------+-- ----+ +----+----------+---------------+----+------------------+ | id | UserName | Attribute | op | Value | +----+----------+---------------+----+------------------+ | 1 | 1000 | Reply-Message | = | "Authenticated" | | 2 | 1000 | Sip-Group | = | Dialin | | 3 | 1000 | SIP-AVP | = | Sip-Group:Dialin | +----+----------+---------------+----+------------------+ +----+----------+------------+ | id | UserName | GroupName | +----+----------+------------+ | 1 | Jhassell | Dialin | | 2 | Rneis | Staticdial | | 3 | 1000 | Dialin | | 4 | 2000 | Dialin | | 5 | 3000 | Dialin | | 6 | 3000 | Dialin2 | +----+----------+------------+ ------ This is the debug I get from freeradius for the group check: rad_recv: Access-Request packet from host xx.xx.xx.xx:33025, id=15, length=67 User-Name = "1000@xx.xx.xx.xx" Sip-Group = "Dialin2" Service-Type = Group-Check NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 74 modcall[authorize]: module "preprocess" returns ok for request 74 modcall[authorize]: module "chap" returns noop for request 74 modcall[authorize]: module "mschap" returns noop for request 74 modcall[authorize]: module "digest" returns noop for request 74 rlm_realm: Looking up realm "xx.xx.xx.xx" for User-Name = "1000@xx.xx.xx.xx" rlm_realm: Found realm "xx.xx.xx.xx" rlm_realm: Adding Stripped-User-Name = "1000" rlm_realm: Proxying request from user 1000 to realm xx.xx.xx.xx rlm_realm: Adding Realm = "xx.xx.xx.xx" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 74 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 74 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 158 modcall[authorize]: module "files" returns ok for request 74 radius_xlat: '1000' rlm_sql (sql): sql_set_user escaped user --> '1000' rlm_sql (sql): Released sql socket id: 0 modcall[authorize]: module "sql" returns ok for request 74 modcall: group authorize returns ok for request 74 rad_check_password: Found Auth-Type Digest auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 74 ERROR: No Digest-Nonce: Cannot perform Digest authentication modcall[authenticate]: module "digest" returns invalid for request 74 modcall: group authenticate returns invalid for request 74 auth: Failed to validate the user. Delaying request 74 for 1 seconds Finished request 74 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 15 to xx.xx.xx.xx:33025 Reply-Message = "Authenticated" Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 74 ID 15 with timestamp 434f1121 Nothing to do. Sleeping until we see a request. Any help in this matter would be deeply appreciated, thanks Lenir