hi, the request is coming from your switch and doing EAP radtest doesnt do EAP - so radtest wouldnt match same conditions. 2 options.... 1) use another testing tool so you hit the EAP section of the server - eg eapol_test or radeaptest 2) use radtest but point to the inner-tunnel port on the server (if you have that enabled...usually 18120) what you need to do is check the config of 'inner-tunnel' and ensure that the configuration matches your requirements (your default outer server is working when EAP is not in play) alternatively, this is because EAP config isnt correct on the client device - the CA cert RADIUS is using is not known/trusted by the client etc etc...... eapol_test is the tool that will help verify your RADIUS config is okay...once thats all fine then any further issues are generally the client....especially windows clients.... alan