Hello, I have a small problem a little bit annoying, and it seems to me that a lot of people using LDAP don't know that they have the same problem. I explain : I have an access-point, and I want use EAP/TTLS in order to authenticate people on my LDAP server. The first time, I had then something like that: authorize { preprocess suffix eap files Autz-Type LDAP { ldap } } authenticate { Auth-Type PAP { pap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } eap } It is working. I am not sure it is the minimal configuration, but I don't care too much. My problem is the following: in my intel proset, if I am giving a false identity in my roaming profile with a good identity and a good password, it is working. The authorization step doesn't work as I want. The most important problem is that the accounting is using my roaming profile. I can partially solve the problem using : Autz-Type LDAP { ldap{ notfound = reject } } Then, the roaming profile must be a valid LDAP name. But I still can use an arbitrary valid LDAP name. In fact, the most important thing to me is that the accounting, and session logger use the good name. Is it a solution to my problem ? Thx, -- Thierry CHICH Equipe Réseaux / Rectorat de Clermont-Ferrand Tel: +33 4 73 99 30 54