Hi I've been thinking about how FreeRADIUS would need to be configured to differentiate between authentication requests from BYOD devices and corporate (typically Windows Domain members) and i.e. put them in different VLANs. I've tried to find things that might be used as differentiators when i.e using PEAP-MSCHAPv2: Windows Domain member using PEAP-MSCHAPv2 send requests differently not having any domain part. Hosts authenticating use host/<hostname>$ formats for their username they send... IMO not really a reliable way to differentiate them in my opinion, an end user device could imitate that as well. The thing I currently see, is Calling-Station-Id being sent to FreeRADIUS where one could detect if a device is corporate-owned and thus i.e. an SQL database could be queried to check if the device figures in the known corporate devices DB. But then again we all know how easily MAC-addresses can be faked. Is there something else I'm likely missing here? Do some of you use different EAP methods like i.e. EAP-TLS for corporate devices while a password-based method is used for personal devices. Ideally if a certificate was given out for each corporate device and user as well as per BYOD device, well then it would be easy to identify things... But that's requiring a whole CA and issuing infrastructure while trying to keep onboarding personal devices as simple as possible for users. I don't have a urgent need for it right now but I have tried to get an idea on that topic yet haven't found a satisfying path (and without working every day with FreeRADIUS that is). Maybe someone is willing to share his or her experiences? -- Mathieu