I have a freeradius setup (currently 1.1.1) for a VPN NAS box using 128-bit MPPE MSCHAPv2 authentication against a Samba password file and have recently added an EAP/PEAP setup for switches and access points to provide 802.1x access control. This all works, and I now need to check multiple Samba password files and depending on which one contains the users credentials return a VLAN tag to the switch. In users I think I need: DEFAULT something == "staff" Tunnel-Type:0 = VLAN, Tunnel-Medium-Type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = 1000 DEFAULT something == "student" Tunnel-Type:0 = VLAN, Tunnel-Medium-Type:0 = IEEE-802, Tunnel-Private-Group-Id:0 = 1001 where 'something' gets set depending on which password file the username exists in. Note that usernames are mutually exclusive - they will only exist in one of the samba password files. I created multiple instances of passwd modules: passwd smbpasswd_staff { filename = /path/to/smbpasswd_staff format = "*User-Name::LM-Password:NT-Password:SMB- Account-CTRL-TEXT::" authtype = MS-CHAP hashsize = 100 ignorenislike = no allowmultiplekeys = no } passwd smbpasswd_student { filename = /path/to/smbpasswd_student format = "*User-Name::LM-Password:NT-Password:SMB- Account-CTRL-TEXT::" authtype = MS-CHAP hashsize = 100 ignorenislike = no allowmultiplekeys = no } and tried using realms and Autz-Type in the authorize section and changing User-Name to Stripped-User-Name, but this doesn't work with EAP. I would also prefer not to have the users specify some prefix or suffix to select which samba password file is check if possible. I've had a look through the list archives and can't find any hints so can anyone suggest what I could try next ? Tom -- Tom Whitehouse Department of Computer Science, University of York Heslington, York YO10 5DD, United Kingdom email: tomw@cs.york.ac.uk | Fax: +44 1904 432767 http://www.cs.york.ac.uk | Voice: +44 1904 434725