Also in discussions on JANET-ROAMING, it seems people are seeing 3 queries to their LDAP servers in inner-tunnel. I believe this is because, with PEAP/MSCHAP, there are 3 passes through the inner tunnel: * EAP identity -> Access-Challenge with EAP-MSCHAP challenge * EAP-MSCHAP response packet -> Access-Challenge with EAP success * EAP success -> Access-Accept In the outer tunnel the trick: eap { ok = return } ...can be used to stop processing, but that's specific to the PEAP/TTLS EAP types; the EAP module just returns "updated" for EAP-Identity and EAP-Success packets. Should rlm_eap return "ok" (or something) in authorize if the packet is an EAP-Identity, NAK, Success or Failure packets? Or maybe "handled" (although that's riskier, since the user can't opt out of it). This would allow you to do: server inner-tunnel { authorize { eap { ok = return } ldap } } Obviously you need to run SQL/LDAP for inner-eap method "response" packets to read Cleartext-Password / NT-Password in time for the authenticate {} section. Cheers Phil