Each sites NAS should be configured to block EAP attacks or DoS or multitude of failures. But anyways, it doesn't matter for each END site what their LOCAL auth levels are - huge sites work 10k concurrent local campus users will have big numbers. The problem is the proxy packets as proxying is the Achilles heel where many bad things can happen. Remote sites not responding etc etc <br><br>Anyway, thus us just diversion. I saw no complaints when 'reject if not EAP' , for example, went into proxy.conf. noone is forced to use any of the existing policies (many dont!) However here we have a valid use case and many freeradius sites that will work better, out of the box, than other RADIUS solutions ;)<br><br>alan<br><br>--<br>This smartphone has free WiFi worldwide with eduroam, now that IS smart<br><br>