Dear Alan, Below is our ldap module config: ldap ldapwifi1 { server = "192.168.154.33" identity = "uid=wifitest,ou=production,ou=system,o=domain.com" password = xxxxxx basedn = "o=domain.com" filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(!(nsaccountlock=true)))" base_filter = "(objectclass=*)" groupmembership_filter = "(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))" ldap_connections_number = 5 timeout = 10 timelimit = 9 net_timeout = 10 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap Framed-Ip-Address = ipaddress edir_account_policy_check = no } ldap ldapwifi2 { server = "192.168.154.34" identity = "uid=wifitest,ou=production,ou=system,o=domain.com" password = xxxxxx basedn = "o=mobistar.be" filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(!(nsaccountlock=true)))" base_filter = "(objectclass=*)" groupmembership_filter = "(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))" ldap_connections_number = 5 timeout = 10 timelimit = 9 net_timeout = 10 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap Framed-Ip-Address = ipaddress edir_account_policy_check = no } Below is my ldap server config in sites-enabled: server wifi { authorize { preprocess suffix # if ( Called-Station-id =~ /:OBE_Byod$/ ) { # eap_byod # } if( Called-Station-Id =~ /:OBE_Office$/ ) { eap } elsif( Airespace-Wlan-Id == 2 ) { redundant-load-balance { ldapwifi1 ldapwifi2 } } expiration logintime } authenticate { Auth-Type LDAP { redundant-load-balance { ldapwifi1 ldapwifi2 } } # Auth-Type eap_byod { # eap_byod #} Auth-Type eap { eap } } preacct { preprocess update request { FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" } acct_unique suffix } accounting { wifi linelog-session } session { } post-auth { if( Airespace-Wlan-Id == 2 ) { if( "%{control:LDAP-UserDN}" =~ /ou=guest,ou=wifi,o=domain.com$/i ) { noop } elsif( LDAP_Group == "cn=WiFiGuestPartners,ou=RADIUS Groups,ou=Groups,ou=staff,o=domain.com" ) { noop } else { reject } } linelog-access # Post-Auth-Type REJECT { # linelog-access # attr_filter.access_reject # } } pre-proxy { } post-proxy { } } Could you please help where is the configuration wrong..? ---- *Thanks & Kind Regards,* Saurabh LAHOTI.