Hi everyone, I'm having a hell of a time upgrading from 1.1.3 to 1.1.4 due to PAP. First of all, leaving my settings as they are doesn't work at all. I'm beginning to wonder if my 1.1.3 configuration shouldn't work at all yet somehow magically does what I want it to. I currently (1.1.3) don't have a *-Password attribute. The table has a "password" field in it that I use in a crazy SQL query. It fakes a row with the "User-Password" attribute. The passwords are all SHA1 hashed. This is what happens when using the 1.1.3 config ("encryption_scheme = sha1"): rad_recv: Access-Request packet from host 192.168.0.10:54288, id=46, length=56 User-Name = "test" User-Password = "qwertyuiop1" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 radius_xlat: 'test' rlm_sql (sql): sql_set_user escaped user --> 'test' ... modcall[authorize]: module "sql" returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type PAP auth: type "PAP" Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 1 rlm_pap: login attempt with password qwertyuiop1 rlm_pap: No password configured for the user. Cannot do authentication modcall[authenticate]: module "pap" returns fail for request 1 modcall: leaving group PAP (returns fail) for request 1 auth: Failed to validate the user. Login incorrect: [test] (from client localhost port 1) This is where I get lost, radiusd.conf: modules { pap { encryption_scheme = sha1 } ... } ... authorize { sql } authenticate { Auth-Type PAP { pap } } I know the rlm_pap man page talks about putting "pap" into authorize{}, so maybe that is what is preventing it from working, though it does seem to get to into rlm_pap above. Adding the header onto the password in the DB doesn't help (though I didn't expect it to). So at this point I tried making things the way they should be: modules { pap { # encryption_scheme = sha1 auto_header = yes } ... } Didn't work with non-prefixed password (duh). This is what I get after prepending "{sha1}" to the password: Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 0 rlm_pap: login attempt with password qwertyuiop1 rlm_pap: Using clear text password. rlm_pap: Passwords don't match modcall[authenticate]: module "pap" returns reject for request 0 modcall: leaving group PAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect (rlm_pap: CLEAR TEXT password check failed): [test] (from client localhost port 1) Okay, so it didn't pick up the header, so I put pap into authorize{} after "sql" as the man page says and now I get: Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 radius_xlat: 'test' rlm_sql (sql): sql_set_user escaped user --> 'test' ... modcall[authorize]: module "sql" returns ok for request 0 rlm_pap: Found unknown header {{sha1}}: Not doing anything rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type PAP auth: type "PAP" Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 0 rlm_pap: login attempt with password qwertyuiop1 rlm_pap: Using clear text password. rlm_pap: Passwords don't match modcall[authenticate]: module "pap" returns reject for request 0 modcall: leaving group PAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect (rlm_pap: CLEAR TEXT password check failed): [test] (from client localhost port 1) Now it says unknown header {{sha1}}. I dunno what this means, maybe it wasn't compiled correctly, or I'm specifying the header wrong? I have "{sha1}ar3h8ir4r4a3r..." in the field. I tried skipping this (according to my understanding of the man page) by changing User-Password to SHA1-Password, but that breaks my SQL driver: rlm_sql: Failed to create the pair: Unknown attribute "SHA1-Password" rlm_sql (sql): Error getting data from database rlm_sql (sql): SQL query error; rejecting user I'm kinda lost now. I'm guessing that if the header was known, things would work, but for some reason it doesn't understand the "{sha1}" prefix... Thanks, Josh