Is there any way to authorize a user using the inner-tunnel User-Name and not the outer? I get an outer User-Name of anonymous and a reject when searching for authorized users in an ldap group. If they convolute the configuration for the device with an outer User-Name of a person in the ldap group, it authorizes them, and they can authenticate using Kerberos. Mon Feb 8 12:53:21 2010 Packet-Type = Access-Request User-Name = "anonymous" ... Mon Feb 8 12:53:21 2010 Packet-Type = Access-Accept Reply-Message = "case WAREHOUSE" Reply-Message = "not authorized for mygroup" Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "duser" ... Mon Feb 8 14:08:11 2010 Packet-Type = Access-Request User-Name = "duser" ... Mon Feb 8 14:08:11 2010 Packet-Type = Access-Accept Reply-Message = "case WAREHOUSE" Reply-Message = "Warehouse mygroup" Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "duser" /etc/raddb/sites-available/default ... case "WAREHOUSE" { update reply { reply-message += "case WAREHOUSE" } #EMPLOYEE { # need to use the inner-tunnel User-Name #} if ( EMPLOYEE-Ldap-Group == "mygroup" ) { update reply { reply-message += "Warehouse mygroup" } } else { update reply { reply-message += "not authorized for mygroup" } # update config { # Auth-Type := Reject # } } }