Hi, Just to update I was able to do what I intended to : Here what I did, In the authenticate of inner-tunnel and default I added this: Auth-Type MS-CHAP { group { mschap { reject = 1 ok = return } mschap_tata { reject = 1 ok = return } mschap_toto { ok = return } } } And in mschap module I added: Mschap { with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-%{Realm}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" } mschap mschap_tata { ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{%{mschap:NT-Domain}:-tata} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } mschap mschap_toto { ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{%{mschap:NT-Domain}:-toto} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } Also added in proxy.conf Realm tata { } Realm toto { } With this I was able to do what I wanted, I am able to permit users from both domain whether they write their user like tata\username, toto\username or just username I was also able to to peap authentification by just using the documentation, Now I’m looking at LDAP to check the group membership of user and only permit certain group and /or send attribute to those group. Thank you Yannick Ménard ---------------------------------------------------------------------------------------------------------- Ce courriel a �t� filtr� par ModusGate et Webshield afin de le certifier comme l�gitime et exempt de virus.