Hi Alan thank you for taking a look at the output for me on the last message. 1. Never said it doesn't work, said no VLAN on application of more than one group. 2. I will update to a newer version as the standard one in the repos is a little out of date. 3. You ignored the following output, if I use an incorrect password then I will get a fail. I looking for the user have its request authorized and have the VLAN assigned over to that user correctly. WARNING: pap : Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = LDAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Auth-Type LDAP { (0) ldap : Login attempt by "richardl" rlm_ldap (ldap): Reserved connection (4) (0) ldap : Using user DN from request "uid=richardl,cn=users,cn=compat,dc=acskype,dc=com" (0) ldap : Waiting for bind result... (0) ldap : Bind successful (0) ldap : Bind as user "uid=richardl,cn=users,cn=compat,dc=acskype,dc=com" was successful rlm_ldap (ldap): Released connection (4) (0) [ldap] = ok (0) } # Auth-Type LDAP = ok (0) # Executing section post-auth from file /etc/raddb/sites-enabled/default (0) post-auth { (0) [exec] = noop (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # post-auth = noop (0) Sending Access-Accept packet to host 192.168.10.8 port 53461, id=114, length=0 Sending Access-Accept Id 114 from 192.168.10.2:1812 to 192.168.10.8:53461 (0) Finished request Also if I run radtest the user seems to work just not on the group memberships radtest richardl 'Testing 101' ipa01.acskype.com 1812 testing101 Sending Access-Request Id 198 from 0.0.0.0:41248 to 192.168.10.2:1812 User-Name = 'richardl' User-Password = 'Testing 101' NAS-IP-Address = 192.168.10.2 NAS-Port = 1812 Message-Authenticator = 0x00 Received Access-Accept Id 198 from 192.168.10.2:1812 to 192.168.10.2:41248 length 20 4. I will update into the latest version and hopeful have a follow up soon, would interested in hearing your ideas on the best method of securing free-radius & LDAP together