Hello, I'm currently in the process of switching from an old freeradius 1.1.6 to a more recent 2.0.4 (both with debian packages, rebuilt against openssl). I used to support only 802.1x or WPA clients, all using PEAP/MSchapv2, so I had default_eap_type=peap in my configuration. But now, I will also have to support a few 802.1x clients using TLS or MD5. The bad news is that some IP phones fail to authenticate when default_eap_type=peap (they only support MD5). Changing to default_eap_type=md5 works, but I'm not satsified with it since most clients use PEAP... In the default EAP configuration, it is written, about the default_eap_type=peap option: # If the EAP-Type attribute is set by another module, # then that EAP type takes precedence over the # default type configured here. Hence, I thought I would use the hints file to force EAP-Type (the good news is that I can recognize the IP phones with their username): CP-7942G-SEP0024C4BE96B7 EAP-Type = MD5-Challenge But this apparently does not work. I also tried to have several eap instances, and check User-Name to know which one to use in the authorize and authenticate section: if (User-Name == "CP-7942G-SEP0024C4BE96B7") { eap_ipphones } else { eap } But then freeradius -X fails to start with: /etc/freeradius/sites-enabled/default[234]: Unknown Auth-Type "(User-Name == "CP-7942G-SEP0024C4BE96B7")" in authenticate sub-section. Is there a way I can have per-user default_eap_type? Regards, -- Nicolas Boullis Ecole Centrale Paris France