Dear Alan Thanks for your prompt reply. Much appreciated. What I am trying to do is dynamically assigning users to the VLAN based on their LDAP OU. So if a user, such as test user abc is in the OU: cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local, he gets VLAN 11 dynamically. As explained this works the first time, but the second time the authentication is accepted but the Tunnel-Private-Group is not given, thus no VLAN is assigned. Quoting from you: If so "search returned no results" explains why it's not working. I think here lies the issue, however I am not sure how to go about fixing it. This is my /etc/freeradius/mods-enabled/eap file: radius@radius:/etc/freeradius/mods-enabled$ cat eap | sed 's/^[ \t]*//;s/[ \t]*$//' | sed -e '/^#/d' | sed '/^\s*$/d' eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} md5 { } leap { } gtc { auth_type = PAP } tls-config tls-common { private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem ca_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = /dev/urandom ca_path = ${cadir} cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = yes lifetime = 24 # hours max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } tls { tls = tls-common } ttls { tls = tls-common default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" } peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" } mschapv2 { } } My sites-enabled/default file: radius@radius:/etc/freeradius/sites-enabled$ cat default | sed 's/^[ \t]*//;s/[ \t]*$//' | sed -e '/^#/d' | sed '/^\s*$/d' server default { listen { type = auth ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipaddr = * port = 0 type = acct limit { } } listen { type = auth ipv6addr = :: # any. ::1 == localhost port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipv6addr = :: port = 0 type = acct limit { } } authorize { filter_username preprocess chap mschap ntdomain eap { ok = return } files -ldap -adldap #ACTIVEDIRECTORY-backldap expiration logintime pap } authenticate { Auth-Type PAP { pap ldap #skond ic ciniz adldap #ACTIVEDIRECTORY } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } eap } preacct { preprocess acct_unique suffix files } accounting { detail unix exec attr_filter.accounting_response } session { } post-auth { update { &reply: += &session-state: } if (Ldap-Group == "cn=Teachers,ou=School,dc=seminary,dc=ad") { update reply { Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = "50" } } if (Ldap-Group == "cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local") { update reply { Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = "12" } } if (Ldap-Group == "cn=Formators,ou=SeminaryOU,dc=seminary,dc=local") { update reply { Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = "10" } } if (Ldap-Group == "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local") { update reply { Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = "11" } } if (Ldap-Group == "cn=Staff,ou=SeminaryOU,dc=seminary,dc=local") { update reply { Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = "13" } } if (Ldap-Group == "cn=School,ou=SeminaryOU,dc=seminary,dc=local") { update reply { Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID := "50" } } ldap exec remove_reply_message_if_eap Post-Auth-Type REJECT { -sql attr_filter.access_reject eap remove_reply_message_if_eap } } pre-proxy { } post-proxy { eap } } my inner-tunnel (not sure this is needed but pasting just in case. radius@radius:/etc/freeradius/sites-enabled$ cat inner-tunnel | sed 's/^[ \t]*//;s/[ \t]*$//' | sed -e '/^#/d' | sed '/^\s*$/d' server inner-tunnel { listen { ipaddr = 127.0.0.1 port = 18120 type = auth } authorize { filter_username chap mschap ntdomain update control { &Proxy-To-Realm := LOCAL } eap { ok = return } files ldap adldap #ACTIVE DIRECTORY expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } eap } session { radutmp } post-auth { -sql -ldap Post-Auth-Type REJECT { -sql attr_filter.access_reject update outer.session-state { &Module-Failure-Message := &request:Module-Failure-Message } } } pre-proxy { } post-proxy { eap } } # inner-tunnel server block This is the server log of when the client gets assigned correctly to VLAN 11. Waking up in 4.2 seconds. (36) Received Access-Request Id 134 from 192.168.100.112:43578 to 192.168.100.201:1812 length 238 (36) User-Name = "abc" (36) NAS-IP-Address = 10.0.152.66 (36) NAS-Identifier = "802aa84654f2" (36) NAS-Port = 0 (36) Called-Station-Id = "80-2A-A8-47-54-F2:SeminaryWiFi" (36) Calling-Station-Id = "08-11-96-10-3E-14" (36) Framed-MTU = 1400 (36) NAS-Port-Type = Wireless-802.11 (36) Connect-Info = "CONNECT 0Mbps 802.11b" (36) EAP-Message = 0x02f3003f1580000000351703030030000000000000000188d6f04ed73463104a8a627456c7e888d8b95d71a34a21aab4724d66d06b041bdd7edbcdd4621d4b (36) State = 0xa61de71ea2eef24e8e3c6f3ed559ee72 (36) Message-Authenticator = 0x1b19bc1f2f655c8f332822c15cd5f3a7 (36) session-state: No cached attributes (36) # Executing section authorize from file /etc/freeradius/sites-enabled/default (36) authorize { (36) policy filter_username { (36) if (&User-Name) { (36) if (&User-Name) -> TRUE (36) if (&User-Name) { (36) if (&User-Name =~ /@[^@]*@/ ) { (36) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (36) if (&User-Name =~ /\.\./ ) { (36) if (&User-Name =~ /\.\./ ) -> FALSE (36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (36) if (&User-Name =~ /\.$/) { (36) if (&User-Name =~ /\.$/) -> FALSE (36) if (&User-Name =~ /@\./) { (36) if (&User-Name =~ /@\./) -> FALSE (36) } # if (&User-Name) = notfound (36) } # policy filter_username = notfound (36) [preprocess] = ok (36) [chap] = noop (36) [mschap] = noop (36) ntdomain: Checking for prefix before "\" (36) ntdomain: No '\' in User-Name = "abc", looking up realm NULL (36) ntdomain: No such realm "NULL" (36) [ntdomain] = noop (36) eap: Peer sent EAP Response (code 2) ID 243 length 63 (36) eap: Continuing tunnel setup (36) [eap] = ok (36) } # authorize = ok (36) Found Auth-Type = eap (36) # Executing group from file /etc/freeradius/sites-enabled/default (36) authenticate { (36) eap: Expiring EAP session with state 0xa61de71ea2eef24e (36) eap: Finished EAP session with state 0xa61de71ea2eef24e (36) eap: Previous EAP request found for state 0xa61de71ea2eef24e, released from the list (36) eap: Peer sent packet with method EAP TTLS (21) (36) eap: Calling submodule eap_ttls to process data (36) eap_ttls: Authenticate (36) eap_ttls: Continuing EAP-TLS (36) eap_ttls: Peer indicated complete TLS record size will be 53 bytes (36) eap_ttls: Got complete TLS record (53 bytes) (36) eap_ttls: [eaptls verify] = length included (36) eap_ttls: [eaptls process] = ok (36) eap_ttls: Session established. Proceeding to decode tunneled attributes (36) eap_ttls: Got tunneled request (36) eap_ttls: User-Name = "abc" (36) eap_ttls: User-Password = "abcd" (36) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (36) eap_ttls: Sending tunneled request (36) Virtual server inner-tunnel received request (36) User-Name = "abc" (36) User-Password = "abcd" (36) FreeRADIUS-Proxied-To = 127.0.0.1 (36) WARNING: Outer and inner identities are the same. User privacy is compromised. (36) server inner-tunnel { (36) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (36) authorize { (36) policy filter_username { (36) if (&User-Name) { (36) if (&User-Name) -> TRUE (36) if (&User-Name) { (36) if (&User-Name =~ /@[^@]*@/ ) { (36) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (36) if (&User-Name =~ /\.\./ ) { (36) if (&User-Name =~ /\.\./ ) -> FALSE (36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (36) if (&User-Name =~ /\.$/) { (36) if (&User-Name =~ /\.$/) -> FALSE (36) if (&User-Name =~ /@\./) { (36) if (&User-Name =~ /@\./) -> FALSE (36) } # if (&User-Name) = notfound (36) } # policy filter_username = notfound (36) [chap] = noop (36) [mschap] = noop (36) ntdomain: Checking for prefix before "\" (36) ntdomain: No '\' in User-Name = "abc", looking up realm NULL (36) ntdomain: No such realm "NULL" (36) [ntdomain] = noop (36) update control { (36) &Proxy-To-Realm := LOCAL (36) } # update control = noop (36) eap: No EAP-Message, not doing EAP (36) [eap] = noop (36) [files] = noop rlm_ldap (ldap): Reserved connection (1) (36) ldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}}) (36) ldap: --> (cn=abc) (36) ldap: Performing search in "ou=SeminaryOU,dc=seminary,dc=local" with filter "(cn=abc)", scope "sub" (36) ldap: Waiting for search result... (36) ldap: User object found at DN "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" (36) ldap: Processing user attributes (36) ldap: control:Password-With-Header += '{ssha}dYlL9kdAZTjsDzkBHYg5bEJ6J+w6tm5V4pSR+A==' (36) ldap: control:Password-With-Header += 'abcd' rlm_ldap (ldap): Released connection (1) Need 2 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (8), 1 of 24 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (36) [ldap] = updated rlm_ldap (adldap): Reserved connection (0) (36) adldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}}) (36) adldap: --> (cn=abc) (36) adldap: Performing search in "ou=School,dc=seminary,dc=ad" with filter "(cn=abc)", scope "sub" (36) adldap: Waiting for search result... (36) adldap: The specified DN wasn't found (36) adldap: Search returned no results rlm_ldap (adldap): Released connection (0) Need 2 more connections to reach 10 spares rlm_ldap (adldap): Opening additional connection (8), 1 of 24 pending slots used rlm_ldap (adldap): Connecting to ldap://localhost:389 rlm_ldap (adldap): Waiting for bind result... rlm_ldap (adldap): Bind successful (36) [adldap] = notfound (36) [expiration] = noop (36) [logintime] = noop (36) pap: Converted: &control:Password-With-Header -> &control:SSHA1-Password (36) pap: Removing &control:Password-With-Header (36) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (36) pap: Removing &control:Password-With-Header (36) pap: Normalizing SSHA1-Password from base64 encoding, 40 bytes -> 28 bytes (36) [pap] = updated (36) } # authorize = updated (36) Found Auth-Type = PAP (36) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (36) Auth-Type PAP { (36) pap: Login attempt with password (36) pap: Comparing with "known-good" SSHA-Password (36) pap: User authenticated successfully (36) [pap] = ok (36) } # Auth-Type PAP = ok (36) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel (36) post-auth { (36) ldap: EXPAND . (36) ldap: --> . (36) ldap: EXPAND Authenticated at %S (36) ldap: --> Authenticated at 2017-09-25 17:31:28 rlm_ldap (ldap): Reserved connection (2) (36) ldap: Using user DN from request "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" (36) ldap: Modifying object with DN "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" (36) ldap: Waiting for modify result... rlm_ldap (ldap): Released connection (2) (36) [ldap] = ok (36) } # post-auth = ok (36) } # server inner-tunnel (36) Virtual server sending reply (36) eap_ttls: Got tunneled Access-Accept (36) eap_ttls: No information to cache: session caching will be disabled for session 2e7aac7106dabc6b230c2e692645fa699f7f7c6d5757c770ea48340202308f5b (36) eap: Sending EAP Success (code 3) ID 243 length 4 (36) eap: Freeing handler (36) [eap] = ok (36) } # authenticate = ok (36) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (36) post-auth { (36) update { (36) No attributes updated (36) } # update = noop (36) if (Ldap-Group == "cn=Teachers,ou=School,dc=seminary,dc=ad") { (36) Searching for user in group "cn=Teachers,ou=School,dc=seminary,dc=ad" rlm_ldap (ldap): Reserved connection (3) (36) EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}}) (36) --> (cn=abc) (36) Performing search in "ou=SeminaryOU,dc=seminary,dc=local" with filter "(cn=abc)", scope "sub" (36) Waiting for search result... (36) User object found at DN "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" (36) Checking user object's memberOf attributes (36) Performing unfiltered search in "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local", scope "base" (36) Waiting for search result... (36) Processing memberOf value "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" as a DN rlm_ldap (ldap): Released connection (3) (36) User is not a member of "cn=Teachers,ou=School,dc=seminary,dc=ad" (36) if (Ldap-Group == "cn=Teachers,ou=School,dc=seminary,dc=ad") -> FALSE (36) if (Ldap-Group == "cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local") { (36) Searching for user in group "cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local" rlm_ldap (ldap): Reserved connection (4) (36) Using user DN from request "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" (36) Checking user object's memberOf attributes (36) Performing unfiltered search in "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local", scope "base" (36) Waiting for search result... (36) Processing memberOf value "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" as a DN rlm_ldap (ldap): Released connection (4) (36) User is not a member of "cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local" (36) if (Ldap-Group == "cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local") -> FALSE (36) if (Ldap-Group == "cn=Formators,ou=SeminaryOU,dc=seminary,dc=local") { (36) Searching for user in group "cn=Formators,ou=SeminaryOU,dc=seminary,dc=local" rlm_ldap (ldap): Reserved connection (0) (36) Using user DN from request "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" (36) Checking user object's memberOf attributes (36) Performing unfiltered search in "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local", scope "base" (36) Waiting for search result... (36) Processing memberOf value "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" as a DN rlm_ldap (ldap): Released connection (0) (36) User is not a member of "cn=Formators,ou=SeminaryOU,dc=seminary,dc=local" (36) if (Ldap-Group == "cn=Formators,ou=SeminaryOU,dc=seminary,dc=local") -> FALSE (36) if (Ldap-Group == "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local") { (36) Searching for user in group "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" rlm_ldap (ldap): Reserved connection (6) (36) Using user DN from request "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" (36) Checking user object's memberOf attributes (36) Performing unfiltered search in "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local", scope "base" (36) Waiting for search result... (36) Processing memberOf value "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" as a DN (36) User found in group DN "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local". Comparison between membership: dn, check: dn rlm_ldap (ldap): Released connection (6) (36) if (Ldap-Group == "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local") -> TRUE (36) if (Ldap-Group == "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local") { (36) update reply { (36) Tunnel-Type = VLAN (36) Tunnel-Medium-Type = IEEE-802 (36) Tunnel-Private-Group-ID = "11" (36) } # update reply = noop (36) } # if (Ldap-Group == "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local") = noop (36) if (Ldap-Group == "cn=Staff,ou=SeminaryOU,dc=seminary,dc=local") { (36) Searching for user in group "cn=Staff,ou=SeminaryOU,dc=seminary,dc=local" rlm_ldap (ldap): Reserved connection (5) (36) Using user DN from request "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" (36) Checking user object's memberOf attributes (36) Performing unfiltered search in "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local", scope "base" (36) Waiting for search result... (36) Processing memberOf value "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" as a DN rlm_ldap (ldap): Released connection (5) (36) User is not a member of "cn=Staff,ou=SeminaryOU,dc=seminary,dc=local" (36) if (Ldap-Group == "cn=Staff,ou=SeminaryOU,dc=seminary,dc=local") -> FALSE (36) if (Ldap-Group == "cn=School,ou=SeminaryOU,dc=seminary,dc=local") { (36) Searching for user in group "cn=School,ou=SeminaryOU,dc=seminary,dc=local" rlm_ldap (ldap): Reserved connection (7) (36) Using user DN from request "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" (36) Checking user object's memberOf attributes (36) Performing unfiltered search in "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local", scope "base" (36) Waiting for search result... (36) Processing memberOf value "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" as a DN rlm_ldap (ldap): Released connection (7) (36) User is not a member of "cn=School,ou=SeminaryOU,dc=seminary,dc=local" (36) if (Ldap-Group == "cn=School,ou=SeminaryOU,dc=seminary,dc=local") -> FALSE (36) ldap: EXPAND . (36) ldap: --> . (36) ldap: EXPAND Authenticated at %S (36) ldap: --> Authenticated at 2017-09-25 17:31:28 rlm_ldap (ldap): Reserved connection (1) (36) ldap: Using user DN from request "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" (36) ldap: Modifying object with DN "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" (36) ldap: Waiting for modify result... rlm_ldap (ldap): Released connection (1) (36) [ldap] = ok (36) [exec] = noop (36) policy remove_reply_message_if_eap { (36) if (&reply:EAP-Message && &reply:Reply-Message) { (36) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (36) else { (36) [noop] = noop (36) } # else = noop (36) } # policy remove_reply_message_if_eap = noop (36) } # post-auth = ok (36) Sent Access-Accept Id 134 from 192.168.100.201:1812 to 192.168.100.112:43578 length 0 (36) MS-MPPE-Recv-Key = 0x1f09c87d9c6e4761e1e2c4ae95c1773d9eaabb1020e146b71648faef7be7f449 (36) MS-MPPE-Send-Key = 0xd82966c83116ad0ab06a985ffe7a4a24704fe3bbfc772c8a547f0df9b67cc765 (36) EAP-Message = 0x03f30004 (36) Message-Authenticator = 0x00000000000000000000000000000000 (36) User-Name = "abc" (36) Tunnel-Type = VLAN (36) Tunnel-Medium-Type = IEEE-802 (36) Tunnel-Private-Group-Id = "11" (36) Finished request