Hello, I have a freeradius server authenticating users with active directory, the users login with the samaccountname. This is the ldap filter: (sAMAccountName=%{mschap_default:User-Name:-%{User-Name}}) Now I need to enable the users to login with the employeeID. This is the ldap filter I tried: (employeeID=%{mschap_default:User-Name:-%{User-Name}})" The filter works in ldapsearch but not in freeradius. # Executing section authorize from file /etc/freeradius/sites-enabled/default Mon Aug 7 10:23:44 2023 : Debug: +group authorize { Mon Aug 7 10:23:44 2023 : Debug: [ad_all] performing user authorization for 1638828 Mon Aug 7 10:23:44 2023 : Debug: [ad_all] expand: (employeeID=%{mschap_default:User-Name:-%{User-Name}}) -> (employeeID=1638828) Mon Aug 7 10:23:44 2023 : Debug: [ad_all] expand: DC=xx,DC=xx,DC=xx,DC=xx -> DC=xx,DC=xx,DC=xx,DC=xx Mon Aug 7 10:23:44 2023 : Debug: ++[ad_all] = fail Mon Aug 7 10:23:44 2023 : Debug: +} # group authorize = fail Mon Aug 7 10:23:44 2023 : Debug: Using Post-Auth-Type REJECT Mon Aug 7 10:23:44 2023 : Debug: # Executing group from file /etc/freeradius/sites-enabled/default Mon Aug 7 10:23:44 2023 : Debug: +group REJECT { Mon Aug 7 10:23:44 2023 : Debug: [attr_filter.access_reject] expand: %{User-Name} -> 1638828 Mon Aug 7 10:23:44 2023 : Debug: ++[attr_filter.access_reject] = updated Mon Aug 7 10:23:44 2023 : Debug: +} # group REJECT = updated Why freeradius can't filter with the employeeID attribute? Thanks.