I found the sollution some time ago. This might be helpful for beginners like me. The PEAP authentication is done using the site-enable/inner-tunnel virtual server configuration by default. So in the site-enabled/inner-tunnel in the section authorize add these: ====================== sql if (SQL-Group == "wifi") { # ok to login } else { reject } ====================== My original goal was to distinguish between wifi users and openvpn users. Openvpn users gets authenticated using the radiusplugin with username and password. I use the radius server just for wifi and openvpn so I just need the site-enabled/default config ======================== sql if (NAS-Identifier == "OpenVpn") { #Nas-identifier is set in radiusplugin.cnf if (SQL-Group == "openvpn") { } else { reject } } ========================= And one last note - PEAP is using MSCHAPv2 and so the passwords must be stored in cleartext (or nthash)! I use for administration DiapUPAdmin - very nice and easy. Hopefully this will help to somebody who was lost like me. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-MySQL-WiFi-PEAP-authorisa... Sent from the FreeRadius - User mailing list archive at Nabble.com.