Debug: ============== rad_recv: Access-Request packet from host 138.253.XXX.XXX port 47032, id=195, length=49 User-Name = "user" User-Password = "passwd" NAS-IP-Address = 138.253.XXX.XXX +- entering group authorize ++[preprocess] returns ok ++? if ("%{User-Name}" =~ /barred-user/i) expand: %{User-Name} -> user ? Evaluating ("%{User-Name}" =~ /barred-user/i) -> FALSE ++? if ("%{User-Name}" =~ /barred-user/i) -> FALSE expand: /usr/radius201/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/radius201/log/radacct/138.253.XXX.XXX/auth-detail-20080303 rlm_detail: /usr/radius201/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/radius201/log/radacct/138.253.XXX.XXX/auth-detail-20080303 expand: %t -> Mon Mar 3 11:28:08 2008 ++[auth_log] returns ok ++[mschap] returns noop ++[chap] returns noop rlm_realm: No '@' in User-Name = "user", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "user" rlm_realm: Proxying request from user user to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop users: Matched entry DEFAULT at line 211 ++[files] returns ok rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type mschap auth: type "MSCHAP" +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: No MS-CHAP-Challenge in the request ++[mschap] returns reject auth: Failed to validate the user. Login incorrect: [user/passwd] (from client EZProxy port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> user attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 195 to 138.253.XXX.XXX port 47032 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 138.253.XXX.XXX port 47032, id=195, length=49 Sending duplicate reply to client EZProxy port 47032 - ID: 195 Sending Access-Reject of id 195 to 138.253.XXX.XXX port 47032 Waking up in 4.9 seconds. Cleaning up request 0 ID 195 with timestamp +24 Ready to process requests. ================== Config: users: DEFAULT Auth-Type = mschap Acct-Session-Id = "Local", Fall-Through = Yes radiusd.conf: mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/sfw/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } If I don’t force MSCHAP in users, how else do I get the user checked against AD when the only place ntlm_auth is called is inside the mschap module? --------------- Barry Dean Networks Team