I'm new to Freeradius, so I'm looking either for an actual answer on how to do what I need, or to point me towards the right documentation so I can learn enough about how Freeradius config files are processed so that I can figure out the solution on my own. The situation is this: I've got a Freeradius server that successfully authenticates Wifi devices with EAP-TTLS with PAP for the inner tunnel. The system also works for ssh clients with PAM authentication. I set up it myself following different instructions, half-knowing but not really knowing what I was doing. But it works. Recently I set up an LDAP directory in Jumpcloud. Their instructions for integrating with Freeradius also are for PAP within TTLS, and involve making one change in the sites-available/inner-tunnel file: within the authorize{} block, move the following to the bottom of the block update control { Proxy-To-Realm := LOCAL } and insert Auth-Type := `/bin/bash /opt/RadiusCheck/CheckUser.sh '%{User-Name}' '%{User-Password}'` immediately after the Proxy-to-Realm line. The CheckUser.sh script is just a simple shell script that makes an LDAP query to Jumpcloud and returns a success or fail. Okay, I don't know what "update control" is for. I don't know how the authorize section works, but I made the changes and tested it out and it works fine for my Jumpcloud user. But it doesn't work anymore for my local LDAP users because irying to authenticate all users against jumpcloud. What I'd like is for the local ldap database to be queried first. And if that fails, then to check the Jumpcloud directory. Looking through the inner-tunnel file I see a few references to ldap, but these are all commented out, so I'm not clear how/where the local ldap database is being queried. -- ---