OR-type authentication

[Héctor Alberto Ortiz Barrón <hector_aob@hotmail.com>]

My radiusd.conf file
...
modules {
       mschap certificate_userpass {
               authtype = MS-CHAP
               use_mppe = yes
               require_encryption = yes
               require_strong = yes
       }
       mschap winlogon {
               authtype = MS-CHAP
               use_mppe = yes
               require_encryption = yes
               require_strong = yes
               with_ntdomain_hack = yes
               ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 
--domain=%{winlogon:NT-Domain} --username=%{winlogon:User-Name} 
--challenge=%{winlogon:Challenge:-00} 
--nt-response=%{winlogon:NT-Response:-00}"
       }
       $INCLUDE  ${confdir}/eap.conf
       $INCLUDE  ${confdir}/sql.conf
...
instantiate {
       exec
       certificate_userpass
       winlogon
}
...
authorize {
       redundant {
               sql
               winlogon
               certificate_userpass
       }
       eap
}
...
authenticate {
       Auth-Type MS-CHAP {
               redundant {
                               certificate_userpass
                               winlogon
               }
       }
       eap
}
...
Using this configuration, I am able to connect to the network using a 
certificate on the client computer or providing a user name and password 
which are checked against the mysql database, but I can't authenticate 
against the AD. If I comment out the part regarding sql from the authorize 
section and do like this in the authenticate section (inverse order):
authenticate {
       Auth-Type MS-CHAP {
               redundant {
                               winlogon
				certificate
               }
       }
       eap
}
I can now authenticate against the AD and using certificates, but not using 
the database.
Question:
What changes do I require in order to be able to grant access taking into 
account the three methods?

Thanks for your assistance
Cheers
Héctor