Hi, Thank you for your advice on the use of multiple MSCHAP modules. I made the changes that were suggested but I'm still unable to authenticate users in different realms. Thanks Chris In the authorize section of inner-tunnel server. # If the users are logging in with an MS-CHAP-Challenge # attribute for authentication, the mschap module will find # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' # to the request, which will cause the server to then use # the mschap module for authentication. mschap I have defined two mschap modules (mschap_ds and mschap_admin) and made the following changes in the inner-tunnel authenticate section. # # MSCHAP authentication. Auth-Type MS-CHAP { if ("%{outer.request:User-Name}" =~ /@realm$/i){ mschap-ds { ok = return } } else { mschap-admin { ok = return } } } # # For old names, too. #mschap < -- I commented out this entry The authentication of a user in either realm failed with the following error message. (9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) authenticate { (9) eap: Expiring EAP session with state 0x93ae5ad093a740b0 (9) eap: Finished EAP session with state 0x93ae5ad093a740b0 (9) eap: Previous EAP request found for state 0x93ae5ad093a740b0, released from the list (9) eap: Peer sent packet with method EAP MSCHAPv2 (26) (9) eap: Calling submodule eap_mschapv2 to process data (9) eap_mschapv2: Auth-Type sub-section not found. Ignoring. (9) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) eap: Sending EAP Failure (code 4) ID 9 length 4 (9) eap: Freeing handler (9) [eap] = reject (9) } # authenticate = reject (9) Failed to authenticate the user (9) Login incorrect: [user_a] (from client localhost port 0 via TLS tunnel) (9) Using Post-Auth-Type Reject If I uncomment the following # For old names, too. mschap I'm able to authenticate a user in one realm but not the other. 21) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (21) authenticate { (21) eap: Expiring EAP session with state 0xf0a763cef0ae799b (21) eap: Finished EAP session with state 0xf0a763cef0ae799b (21) eap: Previous EAP request found for state 0xf0a763cef0ae799b, released from the list (21) eap: Peer sent packet with method EAP MSCHAPv2 (26) (21) eap: Calling submodule eap_mschapv2 to process data (21) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (21) eap_mschapv2: authenticate { (21) mschap: Creating challenge hash with username: XXXXXX (21) mschap: Client is using MS-CHAPv2 (21) mschap: EXPAND %{Stripped-User-Name} (21) mschap: --> XXXXXX rlm_mschap (mschap): Reserved connection (1) (21) mschap: sending authentication request user='XXXXXX' domain='ADMIN' rlm_mschap (mschap): Released connection (1) rlm_mschap (mschap): Need 9 more connections to reach 20 spares rlm_mschap (mschap): Opening additional connection (11), 1 of 53 pending slots used (21) mschap: ERROR: No such user [0xC0000064] (21) mschap: ERROR: Password has expired. User should retry authentication (21) [mschap] = reject (21) } # authenticate = reject (21) eap: Sending EAP Failure (code 4) ID 9 length 4 (21) eap: Freeing handler (21) [eap] = reject (21) } # authenticate = reject (21) Failed to authenticate the user I