hi, you still have ntlm_auth in your authorise section...thats wrong. take ntlm_auth out of there.
edit modules/mschap and uncomment the ntlm_auth line (and configure anything else you need such as MPPE) and then ensure that mschap is called in the virtual server (sites-enabled/default) and inner-tunnel (if using EAP) in the authenticate section. the default config as supplied by FreeRADIUS *WORKS* - I can vouch for that having started on many greenfield sites with a bare new FreeRADIUS server and getting packets auth'd with just a few config changes for the required purpose. i think you might be getting confused with the 'authorize' terminology. the server first checks to see if the user-name is authorised to connect (ie has the 'rights' to connect from a NAS, at a certain time etc etc), this stops it having to check the password first - a waste of auth server time! - the server then checks the authentication (ie is the password correct?) if the user is allowed to connect. after this, the post-auth and accounting is done. remember, if using EAP, the server will read eap.conf and by default will then use the inner-tunnel virtual server - so if using EAP you have THOSE auth/auth/acct sections to deal with too! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html