Hello everyone, I've configured a freeradius 1.1.1 + LDAP for eap-tls authentication with domains. authorize { preprocess ntdomain ... } realm host { type = radius authhost = LOCAL accthost = LOCAL strip } This configuration gives an error: rlm_eap: Identity does not match User-Name, setting from EAP Identity. When I enable with_ntdomain_hack in eap.conf it works quite well. Could anyone tell me why it's neccesary? The problem is that this secondary_radius do proxy when it doesn't find the user in its LDAP and the master_radius gives this error: rlm_eap: Identity does not match User-Name, setting from EAP Identity. I've tried in master_radius the same configuration with and without ntdomain_hack and it fails. I've been thinking of adding the realm before the secondary do proxy, so the master could treat the request as it's been local. But I don't like this too much. Does anyone have a better idea of what to do? Thanks.