Hi I am in the process of upgrading our radius servers but have one issue outstanding. Basically we receive in the radius request from mobile a MSISDN. We then go do a lookup to find the username on LDAP matching the MSISDN. In the old version everything works fine but after upgrading the radius responds with access rejection even though MSISDN finds a username on LDAP. Below are extracts from the mobile virtual server file and ldap file. mobile virtual server: # The ldap module reads passwords from the LDAP database. -ldap-mobile if (!ok) { reject ldap: user { # Where to start searching in the tree for users base_dn = "${..base_dn}" # Filter for user objects, should be specific enough # to identify a single user object. #filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" #filter = "(mobileradiusCallingStationId=%{Calling-Station-Id})" filter = "(&(mobileradiusCallingStationId=%{Calling-Station-Id})(status=10100))" Below is debug from version 3.0.1 rlm_ldap (ldap-mobile): Reserved connection (11) (9) ldap-mobile : expand: "(&(mobileradiusCallingStationId=%{Calling-Station-Id})(status=10100))" -> '(&(mobileradiusCallingStationId=27671946862)(status=10100))' (9) ldap-mobile : expand: "cn=radius,ou=isp" -> 'cn=radius,ou=isp' (9) ldap-mobile : Performing search in 'cn=radius,ou=isp' with filter '(&(mobileradiusCallingStationId=27671946862)(status=10100))' (9) ldap-mobile : Waiting for search result... (9) ldap-mobile : User object found at DN "uid=onyebilanma@telkomsa.net ,cn=radius,ou=isp" (9) ldap-mobile : Processing user attributes (9) ldap-mobile : reply:User-Name := 'onyebilanma@telkomsa.net ' (9) ldap-mobile : control:User-Name := ' onyebilanma@telkomsa.net' rlm_ldap (ldap-mobile): Released connection (11) rlm_ldap (ldap-mobile): Opening additional connection (12) rlm_ldap (ldap-mobile): Connecting to 10.146.46.133:389 TLSMC: MozNSS compatibility interception begins. tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present. tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only. TLSMC: MozNSS compatibility interception ends. rlm_ldap (ldap-mobile): Waiting for bind result... rlm_ldap (ldap-mobile): Bind successful (9) [-ldap-mobile] = ok (9) ? if (!ok) (9) ? if (!ok) -> FALSE (9) } # authorize = ok (9) Found Auth-Type = Accept (9) Auth-Type = Accept, accepting the user (9) Login OK: [27671946862] (from client 105.187.248.220 port 0 cli 27671946862) (9) # Executing section post-auth from file /etc/raddb/sites-enabled/mobile (9) post-auth { (9) [exec] = noop (9) remove_reply_message_if_eap remove_reply_message_if_eap { (9) ? if (reply:EAP-Message && reply:Reply-Message) (9) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE (9) else else { (9) [noop] = noop (9) } # else else = noop (9) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (9) update reply { (9) Acct-Interim-Interval = 14400 (9) } # update reply = noop (9) } # post-auth = noop Sending Access-Accept of id 134 from 10.146.44.71 port 1812 to 105.187.248.220 port 4017 User-Name = 'onyebilanma@telkomsa.net' Acct-Interim-Interval = 14400 Below is debug from version 3.2.2 rlm_ldap (ldap-mobile): Reserved connection (2) (5) ldap-mobile: EXPAND (&(mobileradiusCallingStationId=%{Calling-Station-Id})(status=10100)) (5) ldap-mobile: --> (&(mobileradiusCallingStationId=27659066168)(status=10100)) (5) ldap-mobile: Performing search in "cn=radius,ou=isp" with filter "(&(mobileradiusCallingStationId=27659066168)(status=10100))", scope "sub" (5) ldap-mobile: Waiting for search result... (5) ldap-mobile: User object found at DN "uid=ahmed.elhefnawy@telkomsa.net ,cn=radius,ou=isp" (5) ldap-mobile: Processing user attributes (5) ldap-mobile: reply:User-Name := 'ahmed.elhefnawy@telkomsa.net' (5) ldap-mobile: control:User-Name := 'ahmed.elhefnawy@telkomsa.net' rlm_ldap (ldap-mobile): Released connection (2) Need 4 more connections to reach min connections (8) Need more connections to reach 16 spares rlm_ldap (ldap-mobile): Opening additional connection (9), 1 of 28 pending slots used rlm_ldap (ldap-mobile): Connecting to ldap://10.146.46.133:389 rlm_ldap (ldap-mobile): Waiting for bind result... rlm_ldap (ldap-mobile): Bind successful (5) [ldap-mobile] = updated (5) if (!ok) { (5) if (!ok) -> TRUE (5) if (!ok) { (5) [reject] = reject (5) } # if (!ok) = reject (5) } # authorize = reject (5) Invalid user: [27659066168] (from client 105.187.248.220 port 0 cli 27659066168) (5) Using Post-Auth-Type Reject (5) # Executing group from file /etc/raddb/sites-enabled/mobile (5) Post-Auth-Type REJECT { (5) policy remove_reply_message_if_eap { (5) if (&reply:EAP-Message && &reply:Reply-Message) { (5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (5) else { (5) [noop] = noop (5) } # else = noop (5) } # policy remove_reply_message_if_eap = noop (5) } # Post-Auth-Type REJECT = noop (5) Login incorrect: [27659066168] (from client 105.187.248.220 port 0 cli 27659066168) (5) Delaying response for 2.000000 seconds Any advice would be appreciated? Regards Steven