Hi, Just had a thought. Currently with internal EAP proxying copy_request_to_tunnel = yes use_tunneled_reply = yes Mean that when the contents of the eap packet is proxied internally the attributes from the radius packet get copied to the proxy request. And that the final set of reply attributes is taken directly from the reply attributes sent back from the internal proxy. Which means you can use DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Autz-Type := "Eap-Internal" Autz-Type eap-internal { mschap # Grab NT-Password from directory for use in MSChap-V2 ldap # Read Authorisation groups from SQL Server sql } Which speeds things up a great deal when doing EAP... Unfortunately this breaks anything which relies on Packet-Src-IP-Address / Client-IP-Address As they will be 127.0.0.1 *sigh* Can you see any way of getting round this ? Need Client-IP-Address to determine which set of proxies the request is coming in form... -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900