Hello, I have what I think is a very common use case. I'd like to support "dual stack" EAP-TLS and EAP-PEAP, the concept being that if a corporate device has a valid certificate and authenticates EPA-TLS it gets validated against one set of rules ultimately culminating with assignment in one or more VLANs, vs a BYOD device authenticated with EAP-PEAP that will go through a different authentication/authorization stack ending up in a different set of possible VLANs. We have the EAP-PEAP case working flawlessly on freeradius-3.0.4-6.el7. The problem is that when I enable the 'virtual_server' option for EAP-TLS, it still hits the default authentication/authorization stack resulting in searching the wrong LDAP (machines and people are separate) before it runs for the virtual server defined. By the time it hits the virtual server, the request has already been denied as the LDAP object does not exist in the area it is looking for. I would also like, if EAP-TLS is used, to ignore whatever username the client passes and instead use the client's CN from its certificate with regard to ldap authorization. If anyone has any advise on how to configure a completely divergent configuration that depends on whether or not the client is use TLS or PEAP, I would appreciate it. John