dn: cn=Vito Cu,ou=utenti,dc=xxxx,dc=it userPassword:: e1NIQX1TQ01UU1l5cVpESHcvSXhqRUJGWHdQQnFTTXM9
This is: userPassword: {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= You MUST have plaintext passwords in your LDAP directory to do CHAP. Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding userPassword as User-Password, value {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= & op=21 Fri Jul 21 11:15:51 2006 : Debug: auth: type "LDAP" Fri Jul 21 11:15:51 2006 : Debug: Processing the authenticate section of radiusd.conf Fri Jul 21 11:15:51 2006 : Debug: modcall: entering group LDAP for request 0 Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling pap (rlm_pap) for request 0 Fri Jul 21 11:15:51 2006 : Auth: rlm_pap: Attribute "Password" is required for authentication. Cannot use "CHAP-Password". Your NAS submitted a CHAP request. You cannot check CHAP requests by simple bind to LDAP, only PAP. You have three choices: 1. Store plaintext passwords in userPassword in LDAP, and use CHAP, configured like this: authorize { preprocess chap ldap } authenticate { Auth-Type CHAP { chap } } 2. Store whatever you like in LDAP, configure your NAS to use PAP and LDAP simple binds, configured like this: authorize { preprocess ldap } authenticate { Auth-Type LDAP { ldap } } 3. Store crypted passwords in userPassword, configure your NAS to use PAP, and do PAP at the server side. Not recommended.