hi we have a Wifi 802.1X network with both TTLS and PEAP users (TTLS/PAP mostly for non-windows machines, PEAP/MSCHAPv2 for windows machines). (we also have TLS users, but that's out of scope). both work like a charm. however, we'd like to prevent PEAP accounts to log in with TTLS and vice-versa (that's a pure policy decision - one user profile should specify exactly one auth method). this works mainly because we store clear text passwords for both MSCHAPv2 and PAP. assuming e.g. two users user_peap with PEAP/MS-CHAPv2 and user_ttls with TTLS/CHAP, we would like to modify the profile of the user user_peap so he can't change the exterior method to TTLS/PAP and vs. note that we don't necessarily use exterior names (since e.g. MS Windows machines do not permit to specify an alternative user name for the exterior EAP tunnel). we naively try to specify EAP-Type == PEAP for user_peap and == TTLS for user_ttls but that breaks both methods (which seems normal since this EAP-Type definition is not correct for the internal EAP method which however uses the same user name). i thought about specifying tunneled attributes as check items. it turns out that FR does not show them in the log and I believe that these are not the same for the PEAP and TTLS anyway. thus the question to the list: how can I specify an "PEAP/MS-CHAPv2 only" user profile? how can i specify a "TTLS/PAP only" user profile? thanks artur