I've been trialing eap-tls for users for quite a while. Unfortunately our security people insisted that in addition to eap-tls I had to check that the associated users AD account was also enabled. In clearpass ( on site authentication service) this is a simple thing to do. So on campus a user can use eap-tls on their client providing their AD account is enabled. If account enabled Access-Accept, if not Access-Reject. However, our external facing RADIUS servers are FR 3.0.17 boxes acting as our ORPS systems. Inbound from the outside world EAP-TLS requests get handled by freeradius which then performs an OCSP validation request. This all works except for the fact I'm not checking for an enabled AD account. FR is configured to use winbindd. The TLS cert CN is of the form <userid>-<4digit hex number>@york.ac.uk Is there any way of me checking for an enabled AD account? e.g. ntlm_auth using userid component of the CN and checking a status response ? or another way ? Rgs Alex