I finally got around to updating the horrible OpenSSL certificate handling in the server. You can now do: $ cd /etc/raddb/certs $ make and you'll get sane certificates. Don't like the values for commonName, Country, etc? $ cd /etc/raddb/certs $ make distclean $ vi server.cnf $ make server.pem Much, much better. There's even a README that's readable. And instructions for creating client certificates for EAP-TLS. So far as I can tell, it works. Also, Peter will be happy to know that you can now do: authorize { ... Status-Server { foo } ... } accounting { ... Status-Server { bar } ... } It should be self-explanatory. If it isn't, the explanation is that the modules in the Status-Server section of authorize/accounting are run whenever the server receives a Status-Server packet. The modules can return OK, in which case the server responds, or FAIL, in which case the Status-Server is dropped on the floor. There's also a Post-Proxy-Type Fail. It gets run when the server discovers that there are no live home servers for a request. This happens in the child thread when it's proxying, if all are dead. If the main thread receives a retransmit, and notices that all of the home servers are dead, it runs the request through Post-Proxy-Type Fail.... in a child thread. Now all I have to do is make it handle HUP in a sane fashion, and it'll be the killer app. :) Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog