hi, just a quick point that whilst host/ works locally, these are not legitimate for global eduroam usage - they dont have correct realm syntax for proxying around the world so the auth will work at home but not away - unless you specify a 2nd profile (eg in GPO) offering a 'user auth' (e.g. PEAP) method. of course, since its via GPO you can already have the profile pretty much populated (correct CA, RADIUS server being checked etc) - just ask for user/pass in correct format - ie user education. i've authed users and machines against AD without worrying about the branch - they should be findable with a global auth - however, the username is NOT going to be in Stripped-User-Name - as there is no matching realm you have and therefore that is not populated...so you need to use the usual 'if this exists use this else use this' syntax eg %{%{Stripped-User-Name}:%{User-Name}} - theres also the nt_domain_hack in mschap to check/set - you need to run in debug mode for an EAP-TLS client to check what is coming in and key off the relevant part. in previous role, we were moving away to EAP-TLS for these sorts of things - quicker auths, less hit on AD, no need to use AD for authZ etc. less moving parts to go wrong :) alan