Hi, I've set up a Cisco WLC carrying several SSIDs authenticating against freeradius using EAP-PEAP. I would like to make it so that specific users can only connect to some SSIDs. Requests contain the attribute "Airespace-Wlan-Id" which contains the numeric index of the SSID the request is associated to. I have therefore set up my users file like this: test1 Auth-Type == EAP, Airespace-Wlan-Id == 2, NAS-IP-Address == 192.168.225.110, Cleartext-Password := "test1" This, however, doesn't seem to work as freeradius seems to drop the Airespace-Wlan-Id attribute while processing the request. As can be seen in the debug trace (debug_fail.txt), the user is being matched at first ([files] users: Matched entry test1 at line 173) but isn't found later on. When I remove that one check from the users file leaving test1 Auth-Type == EAP, NAS-IP-Address == 192.168.225.110, Cleartext-Password := "test1" the request is being accepted (see debug_ok.txt). The reject is clearly coming from freeradius being unable to match the request against the users file therefore being unable to get to the cleartext password, but only when I'm checking the Airespace-Wlan-Id attribute. However, as can be seen, the attribute is present in the request and the user is matched at first, even for the failed attempt. This is freeradius 2.1.8 on Ubuntu 10.04, I'm not using inner-tunnel for EAP. I'm clearly missing something here, could somebody point me in the right direction? Thanks and regards, Bodo Bodo Bellut bodo@bellut.net | USE PGP! +-----------+ Stangefolstr. 17 Fax/Mobile: just ask | (key via server |\ O---m /| 44141 Dortmund Fon: +49-700-77-BELLUT | or on request) |/---------\| PGP: 768/FA18A639 AE 5A 47 40 5A A0 D6 15 8E 54 44 AA 8D DD 6E BD+-----------+