Hi all, I' ve a problem when i want to check user with huntgroup : bp3 User-Password := "test" , Calling-Station-Id == "844b.f5b8.d423" is Ok but not : bp3 User-Password := "test" , Calling-Station-Id == "844b.f5b8.d423" , Huntgroup-Name == "wifi" I read something like that in mailing list and it said that it could be : "as Alan said, inside the TLS tunnel the huntgroup check was failing. As the users file is checked on the first requests received, and the wrong huntgroup filtered out, it is not necessary to check it again inside the tunnel. I have removed it from my configuration and it is working ok now." What has been removed from the configuration ? partial ooutput : root@maxwell:/usr/local/etc/raddb# radiusd -X FreeRADIUS Version 2.2.0, for host i686-pc-linux-gnu, built on Mar 11 2013 at 13:51:19 ... Module: Instantiating module "preprocess" from file /usr/local/etc/raddb/modules/preprocess preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /usr/local/etc/raddb/huntgroups reading pairlist file /usr/local/etc/raddb/hints ... Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. .... rad_recv: Access-Request packet from host 172.20.100.53 port 1645, id=199, length=162 User-Name = "bp3" Framed-MTU = 1400 Called-Station-Id = "0014.1bb6.4be0" Calling-Station-Id = "844b.f5b8.d423" Cisco-AVPair = "ssid=ipl_dsi" Service-Type = Login-User Message-Authenticator = 0xab5216a12cd14981035afde9d25910ae EAP-Message = 0x0202000801627033 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "748" NAS-Port = 748 NAS-IP-Address = 172.20.100.53 NAS-Identifier = "net-ap-A1-1-53" # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "bp3", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 8 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry bp3 at line 213 ... [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - bp3 [peap] Got inner identity 'bp3' .... ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel ...