I have virtual site, that works with both EAP and not EAP request. In general case the main field, that used to query database or other storage is Username. EAP request usually has two identity anonymous and real. If user put in anonymous identity real username, that exists in database or users file. It can lead (in my case) to unexpected behavior. For example redirect request to home server. To handle this situation I added in "outer" virtual site the if clause like this authorize { chap mschap if (!&EAP-Message) { ... code that will be executed only for not EAP requests ... } eap pap } Is it safe to assume what all EAP request will have internal/real identity? Is there exists other better way to detect, (EAP request) what this Username is anonymous identity?