Okay, I've gotten a bit further, but I'm still not grasping something in the process flow from authorization to authentication and EAP outer and inner methods. I'll paste relevant chunks of my authorize, authenticate, and eap config sections below. The conditional switch statement is working properly and matching my SSID (I do have other statements there, I just chopped them out here for brevity), the LDAP lookup is working properly and granting me authorization, but when it goes to EAP to perform authentication it seems like it never gets to the inner MSCHAPv2 auth and eventually fails. ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [nicholas_kartsioukas] (from client slo-wlc1 port 0 via TLS tunnel) } # server [peap] Got tunneled reply code 3 [peap] Got tunneled reply RADIUS code 3 [peap] Tunneled authentication was rejected. [peap] FAILURE I've attached the full debug log. Hopefully someone can point me in the right direction? Thanks! authorize { preprocess auth_log rewrite_called_station_id switch Called-Station-Ssid { case "test" { redundant-load-balance { ldap_parrotfish ldap_prawn ldap_pike } update control { Auth-Type = CUESTA } } } files expiration logintime } authenticate { Auth-Type CUESTA { eap_cuesta mschap_cuesta } } eap eap_cuesta { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_file = /etc/ssl/private/webauth.cuesta.edu.key certificate_file = /etc/ssl/certs/webauth.cuesta.edu.cert CA_file = /etc/ssl/certs/thawte_ssl_webserver_intermediate_cert.crt dh_file = ${certdir}/dh random_file = /dev/urandom CA_path = /etc/ssl/certs cipher_list = "DEFAULT" cache { enable = no lifetime = 24 # hours max_entries = 255 } verify { } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no } peap { default_eap_type = mschapv2 # the PEAP module also has these configuration # items, which are the same as for TTLS. copy_request_to_tunnel = no use_tunneled_reply = no } mschapv2 { } }