Hi Christoph, your log shows the cause of the problem: --------8<--------8<--------8<--------8<-------- (8) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap: --> (uid=test) (8) ldap: Performing search in "dc=uni-koblenz,dc=de" with filter "(uid=test)", scope "sub" (8) ldap: Waiting for search result... (8) ldap: Search returned no results rlm_ldap (ldap): Released connection (0) (8) [ldap] = notfound (8) } # else = notfound (8) } # else = notfound (8) [expiration] = noop (8) [logintime] = noop (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eapoldca (8) Auth-Type sub-section not found. Ignoring. (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) Failed to authenticate the user (8) Using Post-Auth-Type Reject --------8<--------8<--------8<--------8<-------- The user "test" is not found in your LDAP directory and is hence rejected. I haven't looked at the rest of the configuration but it's safe to say that for this particular connection attempt, that's the root cause of the client not being able to connect. The PEAP tunnel is established successfully, the inner authentication seems to run as well (though I don't understand why you need the "if (&User-Name == "eduroam...")" statement in the inner-tunnel configuration because you only need it for the TLS handshake of the outer tunnel). Kind regards, Christian Strauf -- Dipl.-Math. Christian Strauf Clausthal Univ. of Technology E-Mail: strauf@rz.tu-clausthal.de Rechenzentrum Web: www.rz.tu-clausthal.de Erzstraße 18 Tel.: +49-5323-72-2086 Fax: -992086 D-38678 Clausthal-Zellerfeld