Good afternoon everyone. I'm new to freeradius and I have been trying a few setups to implement 802.1x on our wired infrastructure + WPA Enterprise on our wireless infrastructure. We have a mixed environment with Linux and Windows 7 client machines and I have successfully configured freeradius to authenticate to our AD server, through both PEAP and EAP-TLS. Over EAP-TLS the client certificate is being verified against the CA and on the CN against the declared EAP username. I am still working on encrypting the client certificate with personal passwords on each supplicant machine (and I believe I'll succeed soon). I believe I'm close to replicating this behavior over PEAP, which would add the MSCHAPv2 authentication after the TLS validation, however this is not the full functionality that we desire. The idea is to have individual certificates for each user, encrypted with a personal password. The certificates being signed by the server CA with usernames as CNs, which we are already able to check thanks to the great templates available, and as the second step we'd like to have the user authenticated (under the encrypted TLS connection) with MSCHAP against our Active Directory. The current challenge is to lock the tunneled authentication to the same username of the certificate step. This would ensure (or at least make it harder) for privileged users to steal another certificate and impersonate that user with that certificate. I'm not sure if I have made myself clear, but we want to make sure users will only be able to use their own certificates, on their own computers and not be able to authenticate their credentials with a certificate from someone else's. What has been troublesome for me is this last step, to lock the AD authentication to the same user declared on the certificate. It seems to me that the RADIUS server would be able to reject this kind of abuse, though it might not be the way it is supposed to work. I couldn't find the right documentation on how to do it, so anything close to it can help me. Our lab right now is on a Debian server with freeradius 2.2.5, but we expect to put it in production on a pfSense firewall (I should confirm soon which version will be available there). Thank you for your time, Att, *Renato Zippert*