Hi Alan,
Replace the "ldap123" line in the "authorize" seciton with:
if (!EAP-Message) { ldap123 }
works great and is logical indeed -- thanks! Just for myself and others try to learn from examples: I had thought that eap { ok = return } would already do the trick when placed above ldap. But actually, we have ++[eap] returns noop in case of a non-EAP request -- not 'ok'. The above statement catches up, only if there _is_ an EAP request, but no need to bother LDAP yet (ie during tunnel setup as the comment suggests). o.k. here's freeradius' output w/o EAP: [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 30 [files] expand: %{User-Name} -> Pauly ++[files] returns ok ++? if (!EAP-Message) ? Evaluating !(EAP-Message) -> TRUE ++? if (!EAP-Message) -> TRUE ++- entering if (!EAP-Message) {...} +++- entering policy ldap123 {...} ++++- entering redundant-load-balance group redundant-load-balance {...} [ldap1] performing user authorization for Pauly ... and with EAP: [files] users: Matched entry DEFAULT at line 30 [files] expand: %{User-Name} -> Pauly ++[files] returns ok ++? if (!EAP-Message) ? Evaluating !(EAP-Message) -> FALSE ++? if (!EAP-Message) -> FALSE ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity -- Dr. Martin Pauly Fax: 49-6421-28-26994 HRZ Univ. Marburg Phone: 49-6421-28-23527 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg