Hello, I am using freeradius to authenticate to multiple databases, some in other LDAP in SQL. I am doing authentication and wireless networks, where I have multiple SSIDs for wireless networks, and each one logs in a database. All these databases are in the same Radius server, which differentiate based authentication used by the users of the Realm, running as follows: authorize { ... if (Realm == "fpti") { ldap_fpti } if ( Realm == "pti") { ldap_pti } if ( Realm == "visitantes") { sql_visitantes } ... } This model is funcionaç, however have a problem (very serious), Radius does not know from which SSID the client is trying to authenticate, or whether it decides the basis solely of the Realm authentication of the client. I need to make the Radius check the VLAN that is associated with the request for user authentication. Check through the debug radius that an Access-Request packet has the following information: ... rad_recv: Access-Request packet from host 192.168.254.48 port 32769, id=204, length=184 User-Name = "joao@fpti" Calling-Station-Id = "68-a3-c4-85-c5-89" Called-Station-Id = "00-26-cb-94-65-60:FPTI" NAS-Port = 29 NAS-IP-Address = 192.168.254.48 NAS-Identifier = "WLC-PTI" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 * Tunnel-Private-Group-Id:0 = "5"* EAP-Message = 0x020500061500 State = 0xfd87ee8cfe82fb655b300470157cca59 Message-Authenticator = 0xb9a2c29a193593e8f1165dc71ab487c1 # Executing section authorize from file /etc/freeradius/sites-enabled/default ... Once the session authorization, I tried to check the VLAN required before releasing the basis for authorization, did it as follows: authorize { ... if (Tunnel-Private-Group-Id:0 == 5){ # Base de dados LDAP da FPTI if (Realm == "fpti") { ldap_fpti } } if (Tunnel-Private-Group-Id:0 == 30){ # Todos os Hbitantes do PTI atraves do numero do cracha if ( Realm == "pti") { ldap_pti } # Base de dados SQL de Visitantes if ( Realm == "visitantes") { sql_visitantes } } ... } But unfortunately this is not working (as shown in the log below): [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++? if (Tunnel-Private-Group-Id:0 == 5) ? Evaluating (Tunnel-Private-Group-Id:0 == 5) -> FALSE ++? if (Tunnel-Private-Group-Id:0 == 5) -> FALSE ++? if (Tunnel-Private-Group-Id:0 == 30) ? Evaluating (Tunnel-Private-Group-Id:0 == 30) -> FALSE ++? if (Tunnel-Private-Group-Id:0 == 30) -> FALSE ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: joao@fpti [mschap] Told to do MS-CHAPv2 for joao@fpti with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. Login incorrect: [joao@fpti] (from client controladora-wlan-1 port 0 via TLS tunnel) Note that all conditional "IF" fails. Also said that if I try to use the Tunnel-Private-Group-Id without the ":0" at the end, appears in the logs that the attribute was not found, I mention this because in several instances I saw on the internet was used only "Tunnel- Private -Group-Id" (with :0 at the end) I ask, how can I make this check? Thank you for listening; -- João Paulo de Lima Barbosa