Hi, I'm moving a setup from freeradius 2 (CentOS 6) to freeradius 3 (CentOS 7). The server is hosting : - a backend to authenticate users on Wifi 802.1X TTLS-PAP (openldap) and PEAP-MSCHAPv2 (Active Directory) - a backend to authenticate users on network equipment for admin purpose We use several ldap instances described in the ldap module. Our openldap server does not permit to read password. We use anonymous binding to run the authentication process. So, auth-type := <ldap_instance> is setted by ldap module file in each ldap instance : set_auth_type = yes Network equipements are grouped in the file huntgroup to apply a specific policy by using filters on huntgroup and ldap group in the file users. The filter replies differents vendor specific attributes for each ldap group and finally, we reject the authentication if there is no match. For example, for devices from Juniper, we use this setup : DEFAULT Ldap-Group==ldap_group_1,Huntgroup-Name == JuniperNet Service-Type = Login, Juniper-Local-User-Name := "radius-admin" DEFAULT Ldap-Group==ldap_group_2,Huntgroup-Name == JuniperNet Service-Type = Login, Juniper-Local-User-Name := "radius-operator" DEFAULT Auth-Type := Reject,Huntgroup-Name == JuniperNet I took care of the file README.rst. I had also a look to the documentation page about ldap module : http://wiki.freeradius.org/modules/Rlm_ldap I still have few questions : 1) I notice that the variable Ldap-Group is no more set by the last ldap instance called. So, I corrected my config to describe the default instance ldap {}. It works but is it planned to be able to call another instance in the file authorize ? 2) Since the module ldap does not set auth-type := ldap anymore, I add the lines to the configuration of the site where needed : if ((ok || updated) && User-Password) { update { control:Auth-Type := ldap } } Is it correct ? 3) Is it correct to use the file authorize to apply filters like we do ? or, shall we do it in the post auth section (it could be innacurate if we need to reject the access) ? Thanks you for your help Regards, -- Jérôme BERTHIER