I made a progress on this issue. I added pap under Autz-Type Ldap1, as below, and then Auth-Type was set to pap. authorize { preprocess chap mschap suffix eap Autz-Type Ldap1 { redundant-load-balance{ myldap myldap2 } pap # <-- the change } Autz-Type Web{ files } files pap } The purpose of doing this is to make sure pap is the last module being called during the authorization process. My questions are, 1. Is this configuration right? Or is it a correct way to construct Autz-Type? 2. Under what condition that ldap module will set Auth-Type to ldap? Thanks! Andrew P.S. In users file, DEFAULT Called-Station-Id =~ ".*Guest@myu", Autz-Type := Ldap1 Fall-Through = no Debug output, rad_recv: Access-Request packet from host 192.168.1.113 port 20000, id=8, length=98 User-Name = "tester" Called-Station-Id = "00-1B-BA-A5-45-40:Guest@myu" NAS-Port = 152 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "nortel" NAS-IP-Address = 192.168.1.113 User-Password = "testing" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "tester", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest@myu expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest@myu users: Matched entry DEFAULT at line 71 ++[files] returns ok rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Autz-Type Ldap1 +- entering group Ldap1 ++- entering redundant-load-balance group redundant-load-balance rlm_ldap: - authorize rlm_ldap: performing user authorization for tester WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=tester) expand: ou=people,dc=myu,dc=ca -> ou=people,dc=myu,dc=ca rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap2.myu.ca:389, authentication 0 rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/myuCA.crt rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as uid=radius,dc=myu,dc=ca/PWD12345678 to ldap2.myu.ca:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=myu,dc=ca, with filter (uid=tester) rlm_ldap: Added User-Password = {SSHA}jSTYFonbXmIE6pReKdYUvq0RhxuhLUAT6FYcG== in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tester authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[myldap] returns ok ++- redundant-load-balance group redundant-load-balance returns ok ++[pap] returns updated rad_check_password: Found Auth-Type auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "testing" rlm_pap: Using SSHA encryption. rlm_pap: Normalizing SSHA1-Password from base64 encoding rlm_pap: User authenticated successfully ++[pap] returns ok Login OK: [tester] (from client myusj113 port 152) Sending Access-Accept of id 8 to 192.168.1.113 port 20000 Finished request 0. Going to the next request Waking up in 0.9 seconds. Waking up in 4.0 seconds. Cleaning up request 0 ID 8 with timestamp +54 Ready to process requests. _____ From: cxu [mailto:cxu@unbsj.ca] Sent: Thursday, February 07, 2008 2:27 PM To: 'freeradius-users@lists.freeradius.org' Subject: Problem when removing Auth-Type := Ldap in users file Hi, I am testing the freeradius server, and try to clarify rules applied in freeradius. In the following trials, I could not figure out how to make Autz-Type Ldap1 in authorize section to correctly set Auth-Type used in authentication without the help from "Auth-Type := Ldap1". With the following entry in users file, ************** DEFAULT Called-Station-Id =~ ".*Guest@myu", Autz-Type := Ldap1, Auth-Type := Ldap1 ************** the user authentication worked fine. Below is the debug output. ************** rad_recv: Access-Request packet from host 192.168.1.113 port 20000, id=19, length=98 User-Name = "tester" Called-Station-Id = "00-1B-BA-A5-45-40:Guest@myu" NAS-Port = 189 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "nortel" NAS-IP-Address = 192.168.1.113 User-Password = "testing" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "tester", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest@myu expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest@myu users: Matched entry DEFAULT at line 70 ++[files] returns ok rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Autz-Type Ldap1 +- entering group Ldap1 ++- entering redundant-load-balance group redundant-load-balance rlm_ldap: - authorize rlm_ldap: performing user authorization for tester WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=tester) expand: ou=people,dc=myu,dc=ca -> ou=people,dc=myu,dc=ca rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.myu.ca:389, authentication 0 rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/unbCA.crt rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as uid=radius,dc=myu,dc=ca/PWD12345678 to ldap.myu.ca:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=myu,dc=ca, with filter (uid=tester) rlm_ldap: Added User-Password = {SSHA}jSTYFonbXmIE6pReKdYUvq0RhxuhLUAT6FYcG== in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tester authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[myldap2] returns ok ++- redundant-load-balance group redundant-load-balance returns ok rad_check_password: Found Auth-Type Ldap1 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! auth: type "Ldap1" +- entering group Ldap1 ++- entering redundant-load-balance group redundant-load-balance rlm_ldap: - authenticate rlm_ldap: login attempt by "tester" with password "testing" rlm_ldap: user DN: uid=tester,ou=people,dc=myu,dc=ca rlm_ldap: (re)connect to ldap.myu.ca:389, authentication 1 rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/myuCA.crt rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as uid=tester,ou=people,dc=myu,dc=ca/testing to ldap.myu.ca:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user tester authenticated succesfully +++[myldap2] returns ok ++- redundant-load-balance group redundant-load-balance returns ok Login OK: [tester] (from client unbsj113 port 189) Sending Access-Accept of id 19 to 192.168.1.113 port 20000 Finished request 0. Going to the next request Waking up in 0.8 seconds. Waking up in 4.1 seconds. Cleaning up request 0 ID 19 with timestamp +99 Ready to process requests. ************** However when I removed Auth-Type := Ldap1 in the entry, ************** DEFAULT Called-Station-Id =~ ".*Guest@myu", Autz-Type := Ldap1 ************** the user authentication failed. The Auth Type is set to Local instead of Ldap.