ok, now the normal authentication process works again! normally our config from the ldap request looks like the following: radiusd.conf: basedn = "CN=Users,DC=isalab,DC=local" filter = "sAMAccountName=%{Stripped-User-Name:-%{User-Name})" groupname_attribute = cn groupmembership_filter = "(|(&(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" groupmembership_attribute = memberOf users: DEFAULT LDAP-Group == "CN=adminrole,CN=users,DC=isalab,DC=local", Huntgroup-Name == "enterasys", Realm == ISALAB.local Filter-ID == "Enterasys:version=1:mgmt=su:policy=adminrole", Reply-Message = "Welcome %{Stripped-User-Name:-%{User-Name:-None}} in the %{Realm} - Domain, there are no restrictions for you in this network", Fall-Through = No with this config we get the groupmembership from the users and we can give the filter-ID back to the switches. But with machine authentication it looks a bit different! first the DC ist Computers, no more users, then the sAMAccountName is for example IT88$ and freeradius gives the name host/it88.isalab.local to the AD, but this name stands in the servicePrincipalName! also there is no memberOf any more at the device! any ideas this is can be done? ca mIke