Hi, could someone help me with the example of my configuration below? I have *Client* <---> * Wireless Controller*: MYWLAN(802.1x EAP) <---> *Freeradius.* AAA Server setting in Controller with IP: 192.168.100.3 (my internal freeradius) Freeradius *Version 3.0.16 with Mysql* *Two Freeradius servers: one HCRPP(internal) and CR(External)* radcheck attribute is *NT-Password* (HCRPP) , and the user stored in the database is without suffix. *radcheck attribute is Cleartext-Password to (CR)* *Freeradius HCRRP use EAP 802.1x and CR - PAP cleartext* *What I need is when a user authenticates without suffix or with suffix (@hcrpp.com <http://hcrpp.com>), use EAP-PEAP or TLS to authenticates in my local freeradius and if the suffix was @cr.net <http://cr.net> proxy to 126.100.20.3 with cleartext password.* When i'm logging with username and password *without suffix*, *it's works*, but when i'm logging with *suffix *like testuser@hcrpp.com or testuser@ cr.net i get this error message: suffix: Checking for suffix after "@" (22) suffix: Looking up realm "hcrpp.com" for User-Name = "testuser@ hcrpp.com" (22) suffix: Found realm "hcrpp.com" (22) suffix: Adding Realm = "hcrpp.com" (22) suffix: Proxying request from user testuser@hcrpp.com to realm hcrpp.com (22) suffix: Preparing to proxy authentication request to realm "hcrpp.com" (22) [suffix] = updated (22) update control { (22) &Proxy-To-Realm := "LOCAL" (22) } # update control = noop (22) eap: Peer sent EAP Response (code 2) ID 6 length 81 (22) eap: No EAP Start, assuming it's an on-going EAP conversation (22) [eap] = updated (22) sql: EXPAND %{User-Name} (22) sql: --> testuser@hcrpp.com (22) sql: SQL-User-Name set to 'testuser@hcrpp.com' rlm_sql (sql): Reserved connection (19) (22) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (22) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser@hcrpp.com' ORDER BY id (22) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser@hcrpp.com' ORDER BY id (22) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (22) sql: --> SELECT groupname FROM radusergroup WHERE username = ' testuser@hcrpp.com' ORDER BY priority (22) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'testuser@hcrpp.com' ORDER BY priority (22) sql: User not found in any groups rlm_sql (sql): Released connection (19) (22) [sql] = notfound (22) [pap] = noop (22) } # authorize = updated (22) Found Auth-Type = eap (22) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (22) authenticate { (22) eap: Expiring EAP session with state 0xa05ae720a05cfdb8 (22) eap: Finished EAP session with state 0xa05ae720a05cfdb8 (22) eap: Previous EAP request found for state 0xa05ae720a05cfdb8, released from the list (22) eap: Peer sent packet with method EAP MSCHAPv2 (26) (22) eap: Calling submodule eap_mschapv2 to process data (22) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (22) eap_mschapv2: Auth-Type MS-CHAP { *(22) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password* *(22) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password* (22) mschap: Creating challenge hash with username: dbarcelini@cirp.usp.br (22) mschap: Client is using MS-CHAPv2 *(22) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication* *(22) mschap: ERROR: MS-CHAP2-Response is incorrect* *My config below* *proxy.conf* home_server HCRPP { type = auth+acct ipaddr = 192.168.100.3 port = 1821 secret = XXXX require_message_authenticator = yes response_window = 20 zombie_period = 40 status_check = status-server check_interval = 30 num_answers_to_alive = 3 max_outstanding = 65536 } home_server CR { type = auth+acct ipaddr = 126.100.20.3 port = 1812 secret = XXXX } home_server_pool HCRPPOOL { type = fail-over home_server = HCRPP } home_server_pool CRPOOL { type = fail-over home_server = CR } realm hcrpp.com { auth_pool = HCRPPOOL strip } realm cr.net { auth_pool = CRPOOL nostrip } ------------------------------------------ *mods-enabled/eap* eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} md5 { } * ...* ttls { tls = tls-common copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = no virtual_server = "inner-tunnel" *sites-enabled/default* authorize { preprocess sql eap { ok = return updated = return } suffix *sites-enabled/inner-tunnel* authorize { suffix update control { &Proxy-To-Realm := "LOCAL" } eap { ok = return } sql Thanks