For a long long time now I've been using freeradius to auth PEAP and EAP-TLS inbound requests from eduroam to our Tier 1 FreeRadius ( 3.0.16) servers. We now want to enable our managed laptops to connect to eduroam at a remote site using machine authentication using EAP-TTLS. I've got part of the way in that I can see an inbound request from host/<fqdn of laptop> and a failure "Login incorrect (mschap: No such user [0xC0000064]): [host/dpslap001.its.york.ac.uk] (from client yorkcc port 76 cli 80-86-F2-E0-7D-24 via TLS tunnel)" So I guess this makes sense as our machines are in a different part of our AD Tree to our users. On our clearpass system I check for a username of the form host/.....york.ac.uk/ and do an auth against different AD tree branch and everything works. I'm using winbindd on our Tier 1 FR servers. Guess I need to create another mschap instance specifically for machine auths and point it at another part of the AD tree. Assuming that's what I have to do, how do I point mschap at a different part of the AD tree for authentication? Rgds Alex