Dear Alan Thanks for your suggestion. Indeed cache was on. I disabled it by enable = no in /etc/freeradius/mods-enabled/eap Anywhere else I need to disable it? On another note, are those anonymous connections something which should worry me please? Pasting the log of me trying to connect from another client. First time it connects it goes to VLAN 11 and second as you can see it goes haywire. Thanks Waking up in 4.9 seconds. (96) Received Access-Request Id 240 from 192.168.100.109:39092 to 192.168.100.201:1812 length 317 (96) User-Name = "anonymous" (96) NAS-IP-Address = 10.0.148.255 (96) NAS-Identifier = "802aa849cbfe" (96) NAS-Port = 0 (96) Called-Station-Id = "80-2A-A8-4A-CB-FE:SeminaryWiFi" (96) Calling-Station-Id = "08-11-96-10-3E-14" (96) Framed-MTU = 1400 (96) NAS-Port-Type = Wireless-802.11 (96) Connect-Info = "CONNECT 0Mbps 802.11b" (96) EAP-Message = 0x0280008815800000007e16030300461000004241044cb275f6fcf633ed05fe8ff5ca6954298c28f0eca0d5f52a17fd3967828032bb591f8de9f740fbc3503f15d22a1ee987f063ecf29b4ec20ab6df6a37b6eecc05140303000101160303002800000000000000004efd211e798f718ea73a96b4ead59e (96) State = 0x66755a3e65f54f6d39985201a18178d8 (96) Message-Authenticator = 0x901592ede88efe274c6142b8f017adb2 (96) session-state: No cached attributes (96) # Executing section authorize from file /etc/freeradius/sites-enabled/default (96) authorize { (96) policy filter_username { (96) if (&User-Name) { (96) if (&User-Name) -> TRUE (96) if (&User-Name) { (96) if (&User-Name =~ /@[^@]*@/ ) { (96) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (96) if (&User-Name =~ /\.\./ ) { (96) if (&User-Name =~ /\.\./ ) -> FALSE (96) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (96) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (96) if (&User-Name =~ /\.$/) { (96) if (&User-Name =~ /\.$/) -> FALSE (96) if (&User-Name =~ /@\./) { (96) if (&User-Name =~ /@\./) -> FALSE (96) } # if (&User-Name) = notfound (96) } # policy filter_username = notfound (96) [preprocess] = ok (96) [chap] = noop (96) [mschap] = noop (96) ntdomain: Checking for prefix before "\" (96) ntdomain: No '\' in User-Name = "anonymous", looking up realm NULL (96) ntdomain: No such realm "NULL" (96) [ntdomain] = noop (96) eap: Peer sent EAP Response (code 2) ID 128 length 136 (96) eap: Continuing tunnel setup (96) [eap] = ok (96) } # authorize = ok (96) Found Auth-Type = eap (96) # Executing group from file /etc/freeradius/sites-enabled/default (96) authenticate { (96) eap: Expiring EAP session with state 0x66755a3e65f54f6d (96) eap: Finished EAP session with state 0x66755a3e65f54f6d (96) eap: Previous EAP request found for state 0x66755a3e65f54f6d, released from the list (96) eap: Peer sent packet with method EAP TTLS (21) (96) eap: Calling submodule eap_ttls to process data (96) eap_ttls: Authenticate (96) eap_ttls: Continuing EAP-TLS (96) eap_ttls: Peer indicated complete TLS record size will be 126 bytes (96) eap_ttls: Got complete TLS record (126 bytes) (96) eap_ttls: [eaptls verify] = length included (96) eap_ttls: <<< recv TLS 1.2 [length 0046] (96) eap_ttls: TLS_accept: unknown state (96) eap_ttls: TLS_accept: unknown state (96) eap_ttls: <<< recv TLS 1.2 [length 0001] (96) eap_ttls: <<< recv TLS 1.2 [length 0010] (96) eap_ttls: TLS_accept: unknown state (96) eap_ttls: >>> send TLS 1.2 [length 0001] (96) eap_ttls: TLS_accept: unknown state (96) eap_ttls: >>> send TLS 1.2 [length 0010] (96) eap_ttls: TLS_accept: unknown state (96) eap_ttls: TLS_accept: unknown state (96) eap_ttls: (other): SSL negotiation finished successfully (96) eap_ttls: SSL Connection Established (96) eap_ttls: [eaptls process] = handled (96) eap: Sending EAP Request (code 1) ID 129 length 61 (96) eap: EAP session adding &reply:State = 0x66755a3e62f44f6d (96) [eap] = handled (96) } # authenticate = handled (96) Using Post-Auth-Type Challenge (96) Post-Auth-Type sub-section not found. Ignoring. (96) # Executing group from file /etc/freeradius/sites-enabled/default (96) Sent Access-Challenge Id 240 from 192.168.100.201:1812 to 192.168.100.109:39092 length 0 (96) EAP-Message = 0x0181003d15800000003314030300010116030300280e51a3e7a6798a4b990b4ebfbbb4c12533451c5335012189ffca366de94f2c3d4e489f3a5be84620 (96) Message-Authenticator = 0x00000000000000000000000000000000 (96) State = 0x66755a3e62f44f6d39985201a18178d8 (96) Finished request Waking up in 4.9 seconds. (97) Received Access-Request Id 241 from 192.168.100.109:39092 to 192.168.100.201:1812 length 244 (97) User-Name = "anonymous" (97) NAS-IP-Address = 10.0.148.255 (97) NAS-Identifier = "802aa849cbfe" (97) NAS-Port = 0 (97) Called-Station-Id = "80-2A-A8-4A-CB-FE:SeminaryWiFi" (97) Calling-Station-Id = "08-11-96-10-3E-14" (97) Framed-MTU = 1400 (97) NAS-Port-Type = Wireless-802.11 (97) Connect-Info = "CONNECT 0Mbps 802.11b" (97) EAP-Message = 0x0281003f15800000003517030300300000000000000001f4e09b67e72ff9aa43f89f7257edbfa01cdd7ee13e6cda560d9c10100aa501139e1e87b046a845d7 (97) State = 0x66755a3e62f44f6d39985201a18178d8 (97) Message-Authenticator = 0x829057918936a78bb34ff9798347607c (97) session-state: No cached attributes (97) # Executing section authorize from file /etc/freeradius/sites-enabled/default (97) authorize { (97) policy filter_username { (97) if (&User-Name) { (97) if (&User-Name) -> TRUE (97) if (&User-Name) { (97) if (&User-Name =~ /@[^@]*@/ ) { (97) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (97) if (&User-Name =~ /\.\./ ) { (97) if (&User-Name =~ /\.\./ ) -> FALSE (97) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (97) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (97) if (&User-Name =~ /\.$/) { (97) if (&User-Name =~ /\.$/) -> FALSE (97) if (&User-Name =~ /@\./) { (97) if (&User-Name =~ /@\./) -> FALSE (97) } # if (&User-Name) = notfound (97) } # policy filter_username = notfound (97) [preprocess] = ok (97) [chap] = noop (97) [mschap] = noop (97) ntdomain: Checking for prefix before "\" (97) ntdomain: No '\' in User-Name = "anonymous", looking up realm NULL (97) ntdomain: No such realm "NULL" (97) [ntdomain] = noop (97) eap: Peer sent EAP Response (code 2) ID 129 length 63 (97) eap: Continuing tunnel setup (97) [eap] = ok (97) } # authorize = ok (97) Found Auth-Type = eap (97) # Executing group from file /etc/freeradius/sites-enabled/default (97) authenticate { (97) eap: Expiring EAP session with state 0x66755a3e62f44f6d (97) eap: Finished EAP session with state 0x66755a3e62f44f6d (97) eap: Previous EAP request found for state 0x66755a3e62f44f6d, released from the list (97) eap: Peer sent packet with method EAP TTLS (21) (97) eap: Calling submodule eap_ttls to process data (97) eap_ttls: Authenticate (97) eap_ttls: Continuing EAP-TLS (97) eap_ttls: Peer indicated complete TLS record size will be 53 bytes (97) eap_ttls: Got complete TLS record (53 bytes) (97) eap_ttls: [eaptls verify] = length included (97) eap_ttls: [eaptls process] = ok (97) eap_ttls: Session established. Proceeding to decode tunneled attributes (97) eap_ttls: Got tunneled request (97) eap_ttls: User-Name = "abc" (97) eap_ttls: User-Password = "abcd" (97) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (97) eap_ttls: Sending tunneled request (97) Virtual server inner-tunnel received request (97) User-Name = "abc" (97) User-Password = "abcd" (97) FreeRADIUS-Proxied-To = 127.0.0.1 (97) server inner-tunnel { (97) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (97) authorize { (97) policy filter_username { (97) if (&User-Name) { (97) if (&User-Name) -> TRUE (97) if (&User-Name) { (97) if (&User-Name =~ /@[^@]*@/ ) { (97) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (97) if (&User-Name =~ /\.\./ ) { (97) if (&User-Name =~ /\.\./ ) -> FALSE (97) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (97) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (97) if (&User-Name =~ /\.$/) { (97) if (&User-Name =~ /\.$/) -> FALSE (97) if (&User-Name =~ /@\./) { (97) if (&User-Name =~ /@\./) -> FALSE (97) } # if (&User-Name) = notfound (97) } # policy filter_username = notfound (97) [chap] = noop (97) [mschap] = noop (97) ntdomain: Checking for prefix before "\" (97) ntdomain: No '\' in User-Name = "abc", looking up realm NULL (97) ntdomain: No such realm "NULL" (97) [ntdomain] = noop (97) update control { (97) &Proxy-To-Realm := LOCAL (97) } # update control = noop (97) eap: No EAP-Message, not doing EAP (97) [eap] = noop (97) [files] = noop rlm_ldap (ldap): Closing connection (17): Hit idle_timeout, was idle for 240 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (18): Hit idle_timeout, was idle for 240 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (19), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (19) (97) ldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}}) (97) ldap: --> (cn=abc) (97) ldap: Performing search in "ou=SeminaryOU,dc=seminary,dc=local" with filter "(cn=abc)", scope "sub" (97) ldap: Waiting for search result... (97) ldap: User object found at DN "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" (97) ldap: Processing user attributes (97) ldap: control:Password-With-Header += '{ssha}dYlL9kdAZTjsDzkBHYg5bEJ6J+w6tm5V4pSR+A==' (97) ldap: control:Password-With-Header += 'abcd' rlm_ldap (ldap): Released connection (19) Need 2 more connections to reach min connections (3) rlm_ldap (ldap): Opening additional connection (20), 1 of 31 pending slots used rlm_ldap (ldap): Connecting to ldap://localhost:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (97) [ldap] = updated rlm_ldap (adldap): Closing connection (16): Hit idle_timeout, was idle for 240 seconds rlm_ldap (adldap): You probably need to lower "min" rlm_ldap (adldap): Closing connection (17): Hit idle_timeout, was idle for 240 seconds rlm_ldap (adldap): You probably need to lower "min" rlm_ldap (adldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (adldap): Opening additional connection (18), 1 of 32 pending slots used rlm_ldap (adldap): Connecting to ldap://localhost:389 rlm_ldap (adldap): Waiting for bind result... rlm_ldap (adldap): Bind successful rlm_ldap (adldap): Reserved connection (18) (97) adldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}}) (97) adldap: --> (cn=abc) (97) adldap: Performing search in "ou=School,dc=seminary,dc=ad" with filter "(cn=abc)", scope "sub" (97) adldap: Waiting for search result... (97) adldap: The specified DN wasn't found (97) adldap: Search returned no results rlm_ldap (adldap): Released connection (18) Need 2 more connections to reach min connections (3) rlm_ldap (adldap): Opening additional connection (19), 1 of 31 pending slots used rlm_ldap (adldap): Connecting to ldap://localhost:389 rlm_ldap (adldap): Waiting for bind result... rlm_ldap (adldap): Bind successful (97) [adldap] = notfound (97) [expiration] = noop (97) [logintime] = noop (97) pap: Converted: &control:Password-With-Header -> &control:SSHA1-Password (97) pap: Removing &control:Password-With-Header (97) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (97) pap: Removing &control:Password-With-Header (97) pap: Normalizing SSHA1-Password from base64 encoding, 40 bytes -> 28 bytes (97) [pap] = updated (97) } # authorize = updated (97) Found Auth-Type = PAP (97) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (97) Auth-Type PAP { (97) pap: Login attempt with password (97) pap: Comparing with "known-good" SSHA-Password (97) pap: User authenticated successfully (97) [pap] = ok (97) } # Auth-Type PAP = ok (97) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel (97) post-auth { (97) ldap: EXPAND . (97) ldap: --> . (97) ldap: EXPAND Authenticated at %S (97) ldap: --> Authenticated at 2017-09-25 22:21:49 rlm_ldap (ldap): Reserved connection (19) (97) ldap: Using user DN from request "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" (97) ldap: Modifying object with DN "cn=abc,cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" (97) ldap: Waiting for modify result... rlm_ldap (ldap): Released connection (19) (97) [ldap] = ok (97) } # post-auth = ok (97) } # server inner-tunnel (97) Virtual server sending reply (97) eap_ttls: Got tunneled Access-Accept (97) eap: Sending EAP Success (code 3) ID 129 length 4 (97) eap: Freeing handler (97) [eap] = ok (97) } # authenticate = ok (97) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (97) post-auth { (97) update { (97) No attributes updated (97) } # update = noop (97) if (Ldap-Group == "cn=Teachers,ou=School,dc=seminary,dc=ad") { (97) Searching for user in group "cn=Teachers,ou=School,dc=seminary,dc=ad" rlm_ldap (ldap): Reserved connection (20) (97) EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}}) (97) --> (cn=anonymous) (97) Performing search in "ou=SeminaryOU,dc=seminary,dc=local" with filter "(cn=anonymous)", scope "sub" (97) Waiting for search result... (97) Search returned no results rlm_ldap (ldap): Released connection (20) (97) if (Ldap-Group == "cn=Teachers,ou=School,dc=seminary,dc=ad") -> FALSE (97) if (Ldap-Group == "cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local") { (97) Searching for user in group "cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local" rlm_ldap (ldap): Reserved connection (19) (97) EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}}) (97) --> (cn=anonymous) (97) Performing search in "ou=SeminaryOU,dc=seminary,dc=local" with filter "(cn=anonymous)", scope "sub" (97) Waiting for search result... (97) Search returned no results rlm_ldap (ldap): Released connection (19) (97) if (Ldap-Group == "cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local") -> FALSE (97) if (Ldap-Group == "cn=Formators,ou=SeminaryOU,dc=seminary,dc=local") { (97) Searching for user in group "cn=Formators,ou=SeminaryOU,dc=seminary,dc=local" rlm_ldap (ldap): Reserved connection (20) (97) EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}}) (97) --> (cn=anonymous) (97) Performing search in "ou=SeminaryOU,dc=seminary,dc=local" with filter "(cn=anonymous)", scope "sub" (97) Waiting for search result... (97) Search returned no results rlm_ldap (ldap): Released connection (20) (97) if (Ldap-Group == "cn=Formators,ou=SeminaryOU,dc=seminary,dc=local") -> FALSE (97) if (Ldap-Group == "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local") { (97) Searching for user in group "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local" rlm_ldap (ldap): Reserved connection (19) (97) EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}}) (97) --> (cn=anonymous) (97) Performing search in "ou=SeminaryOU,dc=seminary,dc=local" with filter "(cn=anonymous)", scope "sub" (97) Waiting for search result... (97) Search returned no results rlm_ldap (ldap): Released connection (19) (97) if (Ldap-Group == "cn=Seminarians,ou=SeminaryOU,dc=seminary,dc=local") -> FALSE (97) if (Ldap-Group == "cn=Staff,ou=SeminaryOU,dc=seminary,dc=local") { (97) Searching for user in group "cn=Staff,ou=SeminaryOU,dc=seminary,dc=local" rlm_ldap (ldap): Reserved connection (20) (97) EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}}) (97) --> (cn=anonymous) (97) Performing search in "ou=SeminaryOU,dc=seminary,dc=local" with filter "(cn=anonymous)", scope "sub" (97) Waiting for search result... (97) Search returned no results rlm_ldap (ldap): Released connection (20) (97) if (Ldap-Group == "cn=Staff,ou=SeminaryOU,dc=seminary,dc=local") -> FALSE (97) if (Ldap-Group == "cn=School,ou=SeminaryOU,dc=seminary,dc=local") { (97) Searching for user in group "cn=School,ou=SeminaryOU,dc=seminary,dc=local" rlm_ldap (ldap): Reserved connection (19) (97) EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}}) (97) --> (cn=anonymous) (97) Performing search in "ou=SeminaryOU,dc=seminary,dc=local" with filter "(cn=anonymous)", scope "sub" (97) Waiting for search result... (97) Search returned no results rlm_ldap (ldap): Released connection (19) (97) if (Ldap-Group == "cn=School,ou=SeminaryOU,dc=seminary,dc=local") -> FALSE (97) ldap: EXPAND . (97) ldap: --> . (97) ldap: EXPAND Authenticated at %S (97) ldap: --> Authenticated at 2017-09-25 22:21:49 rlm_ldap (ldap): Reserved connection (20) (97) ldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}}) (97) ldap: --> (cn=anonymous) (97) ldap: Performing search in "ou=SeminaryOU,dc=seminary,dc=local" with filter "(cn=anonymous)", scope "sub" (97) ldap: Waiting for search result... (97) ldap: Search returned no results rlm_ldap (ldap): Released connection (20) (97) [ldap] = notfound (97) [exec] = noop (97) policy remove_reply_message_if_eap { (97) if (&reply:EAP-Message && &reply:Reply-Message) { (97) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (97) else { (97) [noop] = noop (97) } # else = noop (97) } # policy remove_reply_message_if_eap = noop (97) } # post-auth = noop (97) Sent Access-Accept Id 241 from 192.168.100.201:1812 to 192.168.100.109:39092 length 0 (97) MS-MPPE-Recv-Key = 0x95225afb6e71050f5c7671c0bf4f4dba41a04c22193da51689b298ddd7d8512b (97) MS-MPPE-Send-Key = 0x77ab817b4619d5edf30293d205ed2d9f78ad3316cfb18cd600f338b6dcd99d94 (97) EAP-Message = 0x03810004 (97) Message-Authenticator = 0x00000000000000000000000000000000 (97) User-Name = "anonymous" (97) Finished request Waking up in 4.8 seconds. (93) Cleaning up request packet ID 237 with timestamp +610 (94) Cleaning up request packet ID 238 with timestamp +610 (95) Cleaning up request packet ID 239 with timestamp +610 (96) Cleaning up request packet ID 240 with timestamp +610 (97) Cleaning up request packet ID 241 with timestamp +610 Waking up in 5.8 seconds. (98) Received Accounting-Request Id 242 from 192.168.100.109:38125 to 192.168.100.201:1813 length 174 (98) Acct-Session-Id = "00000012-000000ED" (98) Acct-Status-Type = Start (98) Acct-Authentic = RADIUS (98) User-Name = "anonymous" (98) NAS-IP-Address = 10.0.148.255 (98) Framed-IP-Address = 192.168.100.36 (98) NAS-Identifier = "802aa849cbfe" (98) NAS-Port = 0 (98) Called-Station-Id = "80-2A-A8-4A-CB-FE:SeminaryWiFi" (98) Calling-Station-Id = "08-11-96-10-3E-14" (98) NAS-Port-Type = Wireless-802.11 (98) Connect-Info = "CONNECT 0Mbps 802.11b" (98) # Executing section preacct from file /etc/freeradius/sites-enabled/default (98) preacct { (98) [preprocess] = ok (98) policy acct_unique { (98) update request { (98) &Tmp-String-9 := "ai:" (98) } # update request = noop (98) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (98) EXPAND %{hex:&Class} (98) --> (98) EXPAND ^%{hex:&Tmp-String-9} (98) --> ^61693a (98) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (98) else { (98) update request { (98) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (98) --> f6e43b70ba6c919feabc2c5ea73ddbe2 (98) &Acct-Unique-Session-Id := f6e43b70ba6c919feabc2c5ea73ddbe2 (98) } # update request = noop (98) } # else = noop (98) } # policy acct_unique = noop (98) suffix: Checking for suffix after "@" (98) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (98) suffix: No such realm "NULL" (98) [suffix] = noop (98) [files] = noop (98) } # preacct = ok (98) # Executing section accounting from file /etc/freeradius/sites-enabled/default (98) accounting { (98) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (98) detail: --> /var/log/freeradius/radacct/ 192.168.100.109/detail-20170925 (98) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.100.109/detail-20170925 (98) detail: EXPAND %t (98) detail: --> Mon Sep 25 22:21:59 2017 (98) [detail] = ok (98) [unix] = ok (98) [exec] = noop (98) attr_filter.accounting_response: EXPAND %{User-Name} (98) attr_filter.accounting_response: --> anonymous (98) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (98) [attr_filter.accounting_response] = updated (98) } # accounting = updated (98) Sent Accounting-Response Id 242 from 192.168.100.201:1813 to 192.168.100.109:38125 length 0 (98) Finished request (98) Cleaning up request packet ID 242 with timestamp +620 Waking up in 0.8 seconds. -- Hi Sounds like you've got the EAP caching enabled but are not populating the vlan number you are returning in the cache object thus the next re-auth uses cache but has no vlan value to reply with so you get the default vlan. alan