I am working on a new radius config and have been trying to avoid the lookup in LDAP I have been seeing for the outer identity. I have moved to 2.1.8 with the inner-tunnel virtual host enabled. I have an authorise section for the relevant virtual server that has: authorize { preprocess auth_log chap mschap suffix eap { ok = return } files if (!EAP-Message) { ldap } expiration logintime pap } The "if(!EAP-Message)" works a treat at preventing an LDAP lookup for the outer identity, but if I want to send a basic User-Name/User-Password type auth request after checking with LDAP and returning "Remote access is permitted", I then see: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user What am I missing to tell the "authenticate" section below what I want to do next? authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } Auth-Type EAP { eap } eap } I presume: if (!EAP-Message) { ldap } Fails to set Auth-Type LDAP? ---------------------- Barry Dean Principal Programmer/Analyst Networks Group Computing Services Department Tel: 0151 795 9540