Hi all: I am running Freeradius 1.1.0 and am trying to get Ldap-Groups to work with EAP/PEAP/MSCHAPv2, but have been running into issues. I'm trying to permit authentication to a wireless SSID based on an LDAP group. Here is my configuration: Radiusd.conf: authorize{ preprocess auth_log files { notfound = return } eap redundant-load-balance { ldap1 ldap2 } authenticate { Auth-Type LDAP { redundant-load-balance { ldap1 ldap2 } Auth-Type EAP { eap } hints: DEFAULT Called-Station-Id =~ ".*:ssid" Called-Station-Id := "ssid" huntgroups: restrict Called-Station-Id == ssid all NAS-IP-Address == xxx users: DEFAULT Huntgroup-Name == restrict, Ldap-group == "cn=something,ou=something" DEFAULT Huntgroup-Name == all When I try to authenticate, the radius server receives about 7 Access-requests. Each time it receives one, the Radius server checks the LDAP store to verify that the user exists in the ldap group (is this normal? can this be reduced? 7 LDAP binds per authentication attempt seems high), and each module returns OK. On the 6th attempt though, it attempts to decode the EAP tunnel, and this happens: rlm_dap::ldap_groupcmp: User found in group cn=something,ou=something blah blah blah Processing the authenticate section blah blah blah rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - XXX rlm_eap_peap: Tunneled data is valid PEAP: Got tunneled identity of XXX PEAP: Setting default EAP type for tunneled EAP session PEAP: Setting User-Name to XXX Processing the authorize section modcall[authorize]: module "preprocess" returns ok for request 6 blah blah blah modcall[authorize]: module "auth_log" returns ok for request 6 modcall[authorize]: module "files" returns notfound for request 6 Notice that there is no additional call to ldap_group between the authorize and the resulting failure in the files module. Since I have set "files { notfound = return}," the user fails to authenticate despite being accepted 5 times previously with ldap_group. If I remove "notfound = return", the user can authenticate REGARDLESS of the ldap-group I set, even when ldap_group returns notfound. Is there something i'm missing in the configuration file? ____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping