Hello and thank you to everyone that helped me with my issue. I was able to get permissions working as Alan kindly pointed out that the admin did not have permission to read the password, I however manged to find a blog post by one of the developers for 389 Directory which is the LDAP server for FreeIPA. Please check this link https://firstyear.id.au/blog/html/2016/01/13/FreeRADIUS:_Using_mschapv2_with... Thank you for other advice and I will look into following up on those topics, also I did get my version updated onto 3.0.12, looking into the issues with x.13 I had however I feel that is a separate topic so I will not post that here. Please consider this one solved, if I have an further issues I will open a new item and improve my posting, thank you for the feedback. On 19/04/17 17:07, Richard Laing wrote: Hi Alan thank you for taking a look at the output for me on the last message. 1. Never said it doesn't work, said no VLAN on application of more than one group. 2. I will update to a newer version as the standard one in the repos is a little out of date. 3. You ignored the following output, if I use an incorrect password then I will get a fail. I looking for the user have its request authorized and have the VLAN assigned over to that user correctly. WARNING: pap : Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = LDAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Auth-Type LDAP { (0) ldap : Login attempt by "richardl" rlm_ldap (ldap): Reserved connection (4) (0) ldap : Using user DN from request "uid=richardl,cn=users,cn=compat,dc=acskype,dc=com" (0) ldap : Waiting for bind result... (0) ldap : Bind successful (0) ldap : Bind as user "uid=richardl,cn=users,cn=compat,dc=acskype,dc=com" was successful rlm_ldap (ldap): Released connection (4) (0) [ldap] = ok (0) } # Auth-Type LDAP = ok (0) # Executing section post-auth from file /etc/raddb/sites-enabled/default (0) post-auth { (0) [exec] = noop (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # post-auth = noop (0) Sending Access-Accept packet to host 192.168.10.8 port 53461, id=114, length=0 Sending Access-Accept Id 114 from 192.168.10.2:1812 to 192.168.10.8:53461 (0) Finished request Also if I run radtest the user seems to work just not on the group memberships radtest richardl 'Testing 101' ipa01.acskype.com 1812 testing101 Sending Access-Request Id 198 from 0.0.0.0:41248 to 192.168.10.2:1812 User-Name = 'richardl' User-Password = 'Testing 101' NAS-IP-Address = 192.168.10.2 NAS-Port = 1812 Message-Authenticator = 0x00 Received Access-Accept Id 198 from 192.168.10.2:1812 to 192.168.10.2:41248 length 20 4. I will update into the latest version and hopeful have a follow up soon, would interested in hearing your ideas on the best method of securing free-radius & LDAP together -- Richard Laing , Network Administrator [Armour Comms] www.armourcomms.com <https://www.armourcomms.com/> Armour Communications Limited 1st Floor Millbank Tower, London, SW1P 4QP, United Kingdom E: richard.laing@armourcomms.com<mailto:richard.laing@armourcomms.com> T: +44 (0)203 637 3801<tel:+442036373801> | M: +44 (0)758 423 6423<tel:+447584236423> Regd. in England and Wales No. 09322680. Reg. Office 1st Floor, Millbank Tower, London, SW1P 4QP, England NOTICE: If you are not the intended recipient of this transmission, any disclosure, copying, distribution or other use of any of the information in this transmission is strictly prohibited. If you have received this transmission in error, please notify me immediately by reply email or by calling the phone numbers above.