Might be something easy, but I have read every document I can find and feel I'm doing exactly as they say.
I have a simple freeradius server running on FreeBSD and its working perfectly for PAP authentication, and I have used NtRadPing to verify it.
On RouterOS Radius menu: Radius information is configured exactly as documents say, with IP of freebsd freeradius server and secret phrase (service "hotspot" is checked).
On Hotspot: I went to Hotspot -> Servers tab -> Profiles -> Choose your Profile for your hotspot and checked: "Use Radius" and "Accounting"...and I did do it for the correct profile (and the default profile just in case).
On profile for login, the only thing checked is: HTTP PAP.
The problem is, I added a user that is in the FreeRadius server. However, I put in a wrong password for the user in the hotspot just as a test, and when I login to the hotspot and put in this username and password, it lets me right on and I can start browsing the Internet.
If I put in the wrong password in NtRadPing, I get "Access-Reject," just as it should, so it seems to me that RouterOS is the problem, not my freeradius server. In fact, it isn't even hitting the freeradius server at all, just accepting the user's name and password and letting it surf, even though I have it set it to use radius on the hotspot.
I've rebooted the AP and and relogged in and deleted the user from the hotspot repeatedly. Pretty much worked on this all day long.
Anyone have any ideas?