Please, someone can help with the special character '%' inside in User-Password attribute? the radius generates a exception in authorize phase, and the authentication fails. This occurs when PAP is selected. Is possible escape special characters in User-Password attribute? how i do it? please show me an example. I'm using freeradius 3.0.1, with CentOS 7. In the past I was using freeradius 2.1 with Debian 6, this problem never occurred. At below debug is possible see the problem. rad_recv: Access-Request packet from host 172.25.89.1 port 32768, id=250, length=157 User-Name = '0006882' User-Password = '#mypass123%' Service-Type = Login-User NAS-IP-Address = 172.25.89.1 NAS-Port = 4 NAS-Identifier = 'WLC-PTI' NAS-Port-Type = Wireless-802.11 Airespace-Wlan-Id = 8 Calling-Station-Id = '00-db-df-27-2a-45' Called-Station-Id = 'dc-a5-f4-1d-1b-60:PTI-WIFI' Message-Authenticator = 0xe6054dc6d0e931d8210d4851a1c68e34 (24) # Executing section authorize from file /etc/raddb/sites-enabled/default (24) authorize { (24) ? if (User-Name !~ /@/) (24) ? if (User-Name !~ /@/) -> TRUE (24) if (User-Name !~ /@/) { (24) update request { (24) Realm := "pti" (24) } # update request = noop (24) } # if (User-Name !~ /@/) = noop (24) [preprocess] = ok (24) [chap] = noop (24) [mschap] = noop (24) [digest] = noop (24) suffix : Request already has destination realm set. Ignoring. (24) [suffix] = ok (24) update control { (24) Proxy-To-Realm := 'LOCAL' (24) } # update control = noop (24) eap : No EAP-Message, not doing EAP (24) [eap] = noop (24) [files] = noop (24) ? if ( Service-Type == "Login-User") (24) expand: "Login-User" -> 'Login-User' (24) ? if ( Service-Type == "Login-User") -> TRUE (24) if ( Service-Type == "Login-User") { (24) ? if ( Realm == "pti") (24) expand: "pti" -> 'pti' (24) ? if ( Realm == "pti") -> TRUE (24) if ( Realm == "pti") { rlm_ldap (ldap_pti): Reserved connection (4) (24) ldap_pti : expand: "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(habitantActive=TRUE)(habitantLoginActive=TRUE)(habitantWirelessActive=TRUE))" -> '(&(uid=0006882)(habitantActive=TRUE)(habitantLoginActive=TRUE)(habitantWirelessActive=TRUE))' (24) ldap_pti : expand: "ou=instituicoes,dc=parque" -> 'ou=instituicoes,dc=parque' (24) ldap_pti : Performing search in 'ou=instituicoes,dc=parque' with filter '(&(uid=0006882)(habitantActive=TRUE)(habitantLoginActive=TRUE)(habitantWirelessActive=TRUE))' (24) ldap_pti : Waiting for search result... (24) ldap_pti : User object found at DN "uid=0006882,cn=0040574,ou=instituicoes,dc=parque" (24) ldap_pti : Processing user attributes (24) ldap_pti : control:Password-With-Header += '{SSHA}395fMQk8eSN+V+vDRKuc4JuAPTh7eV4c' (24) ldap_pti : control:NT-Password := 0x4335413336304144323434343343453142413437383138464642383638323046 rlm_ldap (ldap_pti): Released connection (4) (24) [ldap_pti] = ok (24) } # if ( Realm == "pti") = ok (24) ? if ( Realm == "vst") (24) expand: "vst" -> 'vst' (24) ? if ( Realm == "vst") -> FALSE (24) } # if ( Service-Type == "Login-User") = ok (24) [expiration] = noop (24) [logintime] = noop (24) pap : Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes (24) pap : Normalizing SSHA1-Password from base64 encoding, 32 bytes -> 24 bytes (24) [pap] = updated (24) } # authorize = updated (24) Found Auth-Type = PAP (24) # Executing group from file /etc/raddb/sites-enabled/default (24) Auth-Type PAP { (24) pap : login attempt with password "#mypass123%" (24) pap : Using NT encryption. (24) ERROR: pap : #mypass123% (24) ERROR: pap : ^ Invalid variable expansion (24) pap : expand: "%{mschap:NT-Hash %{User-Password}}" -> '' (24) ERROR: pap : NT password check failed (24) pap : Passwords don't match (24) [pap] = reject (24) } # Auth-Type PAP = reject (24) Failed to authenticate the user. (24) Login incorrect (pap: #mypass123%): [0006882] (from client controladora-wlan-1 port 4 cli 00-db-df-27-2a-45) (24) Using Post-Auth-Type Reject (24) # Executing group from file /etc/raddb/sites-enabled/default (24) Post-Auth-Type REJECT { (24) attr_filter.access_reject : expand: "%{User-Name}" -> '0006882' (24) attr_filter.access_reject : Matched entry DEFAULT at line 11 (24) [attr_filter.access_reject] = updated (24) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (24) [eap] = noop (24) remove_reply_message_if_eap remove_reply_message_if_eap { (24) ? if (reply:EAP-Message && reply:Reply-Message) (24) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE (24) else else { (24) [noop] = noop (24) } # else else = noop (24) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (24) } # Post-Auth-Type REJECT = updated (24) Finished request 24. Waking up in 0.3 seconds. Waking up in 0.6 seconds. (24) Sending delayed reject Sending Access-Reject of id 250 from 186.233.12.25 port 1812 to 172.25.89.1 port 32768 Waking up in 2.2 seconds. -- João Paulo de Lima Barbosa "Para chegar aonde a maioria não chega, você precisa fazer o que a maioria não faz."