All, We're rolling out a password-expiry policy here, and it's been suggested that it would be helpful for the VPN to prompt a user to change their password, rather than just lock them out. The VPN is poptop on Linux, authing to FreeRadius, which current talks to winbind and then to our w2k3 servers but may be moving to proxy the final inner mschap to IAS (all the policy checks and interesting stuff will be staying on FreeRadius - but using FR2 and a proxy plus pool of home servers seems like to give us better failure and recovery characteristics when an AD controller goes away) When we MS-CHAP an expired account we get a MS-CHAP-Error packet in the reply as expected: Sending Access-Request of id 7 to 192.168.29.34 port 1812 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "test" MS-CHAP-Challenge = 0xSNIP MS-CHAP2-Response = 0xSNIP Calling-Station-Id = 192.168.55.55 NAS-IP-Address = 192.168.54.54 NAS-Port = 0 Proxy-State = 0x3633 --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Reject packet from host 192.168.29.34:1812, id=7, length=46 Proxy-State = 0x3633 MS-CHAP-Error = "\000E=648 R=0 V=3" ...however FreeRadius obeys the RFCs, and doesn't proxy the MS-CHAP-Error packet back to the radius client (pppd "radius.so" plugin) so my patches to pppd are unable to act on the error code. Am I wasting my time?