My radiusd.conf file ... modules { mschap certificate_userpass { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes } mschap winlogon { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{winlogon:NT-Domain} --username=%{winlogon:User-Name} --challenge=%{winlogon:Challenge:-00} --nt-response=%{winlogon:NT-Response:-00}" } $INCLUDE ${confdir}/eap.conf $INCLUDE ${confdir}/sql.conf ... instantiate { exec certificate_userpass winlogon } ... authorize { redundant { sql winlogon certificate_userpass } eap } ... authenticate { Auth-Type MS-CHAP { redundant { certificate_userpass winlogon } } eap } ... Using this configuration, I am able to connect to the network using a certificate on the client computer or providing a user name and password which are checked against the mysql database, but I can't authenticate against the AD. If I comment out the part regarding sql from the authorize section and do like this in the authenticate section (inverse order): authenticate { Auth-Type MS-CHAP { redundant { winlogon certificate } } eap } I can now authenticate against the AD and using certificates, but not using the database. Question: What changes do I require in order to be able to grant access taking into account the three methods? Thanks for your assistance Cheers Héctor