Can rlm_passwd be used together with EAP-MD5? If I in the users file set "Password == blabla" for a user test-user and then connects using radeapclient as described in the manual with "EAP-MD5-Password = blabla" it works fine. However, I want to use an external clear-text password instead of having the password in users, since I want to change the password for each and every test, and do not want to HUP radiusd all the time. Is this at all possible? More details... On the same server I use rlm_passwd already for authenticate certain clients against a TACACS passwd file, and for those clients I have in users file entires like this: DEFAULT Auth-Type := PAP, Client-IP-Address == "w.x.y.z" which (if I have grasped things right) enforces those to use PAP, and this works excellent with module passwd tacacs { filename = /local/etc/tacpasswd format = "*User-Name:Crypt-Password:::::" delimiter = ":" hashsize = 100 ignorenislike = yes ignoreempty = yes allowmultiplekeys = no } Now, what I want is another passwd-module as above: passwd mypw { filename = ${confdir}/mypasswd format = "*User-Name:Cleartext-Password" delimiter = ":" hashsize = 100 ignorenislike = yes ignoreempty = yes allowmultiplekeys = no } and mypasswd being in the form "test-user:cleartextpassword" and in users instead of: test-user Password == "blabla", NAS-Identifier == "mytest-NAS" Reply-Message = "myradius.somewhere.no: OK" which works just fine, I have test-user NAS-Identifier == "mytest-NAS" Reply-Message = "myradius.somewhere.no: OK" and have EAP-MD5 work with this. My radeapclient sends: User-Name = test-user@test-realm.no NAS-Identifier = mytest-NAS EAP-MD5-Password = blabla EAP-Code = Response EAP-Id = 210 EAP-Type-Identity = test-user@test-realm.no Message-Authenticator = 0x00 NAS-Port = 0 With the above I get in the log: Info: rlm_eap_md5: User-Password is required for EAP-MD5 authentication Auth: Login incorrect: [test-user] (from client blabla.somewhere.no port 0) And with debug (-X) I see this: modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry test-user at line 7 Yay! modcall[authorize]: module "files" returns ok for request 5 modcall[authorize]: module "tacacs" returns notfound for request 5 modcall[authorize]: module "mypw" returns notfound for request 5 Sob.. why? rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 5 modcall: leaving group authenticate (returns invalid) for request 5 auth: Failed to validate the user. Login incorrect: [test-user] (from client foo.somewhere.no port 0) Anyone got a tip on how I might do this? As for "Why EAP-MD5?", I just need some EAP-method for which I can easily generate requests with radeapclient. Thanks! :) -- Kolbjørn Barmen UNINETT Driftsenter