Hello, I am currently configuring a setup where an AD server is used to authenticate users via password _and_ supplemental attributes. So far I think I figured out that I need to use mschap {} with ntlm_auth to verify the password, but would need to use the ldap {} module to get the checkItems and replyItems I need to do the supplemental checking, and do the actual checking in the users file. Is that right? Secondly, I would like to use clear-text passwords in the Access-Request packets. Would the mschap module figure out things right automagically? As I see it, it only gets active and sets Auth-Type to MS-CHAP when it sees a Challenge in the Access-Request. Could this be one of the rare cases where I have to set Auth-Type manually (to MS-CHAP) get ntlm_auth running? Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: stefan.winter@restena.lu tél.: +352 424409-1 http://www.restena.lu fax: +352 422473