So I used the scriptlet below to remove the host/ section and now no longer get the error message. if (&User-Name =~ /^host\/(.*)$/) { update request { &Cert-CN := "%{1}" } } As I was getting this error: (8) eap_tls: --> host/hostname.domain.com (8) eap_tls: checking certificate CN (hostname.domain.com) with xlat'ed value (host/hostname.domain.com) tls: Certificate CN (hostname.domain.com) does not match specified value (host/hostname.domain.com)! (8) eap_tls: >>> send TLS 1.2 [length 0002] (8) eap_tls: ERROR: TLS Alert write:fatal:internal error tls: TLS_accept: Error in error However I now get the following error: (2) Received Access-Request Id 15 from 10.37.80.11:1812 to 10.10.251.2:1812 length 547 (2) Framed-MTU = 1480 (2) NAS-IP-Address = 10.37.80.11 (2) NAS-Identifier = "de-sw01" (2) User-Name = "host/hostname.domain.com" (2) Service-Type = Framed-User (2) Framed-Protocol = PPP (2) NAS-Port = 26 (2) NAS-Port-Type = Ethernet (2) NAS-Port-Id = "26" (2) Called-Station-Id = "ec-9a-74-19-ad-00" (2) Calling-Station-Id = "e4-54-e8-54-4a-de" (2) Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" (2) Tunnel-Type:0 = VLAN (2) Tunnel-Medium-Type:0 = IEEE-802 (2) Tunnel-Private-Group-Id:0 = "2" (2) State = 0x0c28a8740c27a50f9f6de32a28f2c7f2 (2) EAP-Message = 0x020f00a60d800000009c160303009701000093030362b4ac3d2994f113ce5e3bd59fbac73691749a9495b7fbc7539910760601aea700002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000040000500050100000000000a00080006001d00170018000b00020100000d001400120401050102010403050302030202060106030023000000170000ff01000100 (2) Message-Authenticator = 0xc559daf1fcab5e9b102c581c18f3c4c0 (2) MS-RAS-Vendor = 11 (2) HP-Capability-Advert = 0x011a0000000b28 (2) HP-Capability-Advert = 0x011a0000000b2e (2) HP-Capability-Advert = 0x011a0000000b30 (2) HP-Capability-Advert = 0x011a0000000b3d (2) HP-Capability-Advert = 0x011a0000000b18 (2) HP-Capability-Advert = 0x011a0000000b19 (2) HP-Capability-Advert = 0x0138 (2) HP-Capability-Advert = 0x013a (2) HP-Capability-Advert = 0x0140 (2) HP-Capability-Advert = 0x0141 (2) HP-Capability-Advert = 0x0151 (2) Restoring &session-state (2) &session-state:Framed-MTU = 994 (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) eap: Peer sent EAP Response (code 2) ID 15 length 166 (2) eap: No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) files: users: Matched entry DEFAULT at line 167 (2) [files] = ok (2) [expiration] = noop (2) [logintime] = noop (2) policy rewrite_calling_station_id { (2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (2) update request { (2) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (2) --> e4-54-e8-54-4a-de (2) &Calling-Station-Id := e4-54-e8-54-4a-de (2) } # update request = noop (2) [updated] = updated (2) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (2) ... skipping else: Preceding "if" was taken (2) } # policy rewrite_calling_station_id = updated (2) if (&User-Name =~ /^host\/(.*)$/) { (2) if (&User-Name =~ /^host\/(.*)$/) -> TRUE (2) if (&User-Name =~ /^host\/(.*)$/) { (2) update request { (2) EXPAND %{1} (2) --> hostname.domain.com (2) &User-Name := hostname.domain.com (2) } # update request = noop (2) } # if (&User-Name =~ /^host\/(.*)$/) = noop (2) if (!EAP-Message) { (2) if (!EAP-Message) -> FALSE (2) else { (2) eap: Peer sent EAP Response (code 2) ID 15 length 166 (2) eap: No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) } # else = updated (2) } # authorize = updated (2) Found Auth-Type = eap (2) Found Auth-Type = eap (2) ERROR: Warning: Found 2 auth-types on request for user 'hostname.domain.com' (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site (2) Auth-Type EAP { (2) eap: Expiring EAP session with state 0xf81b3429f8f739ad (2) eap: Finished EAP session with state 0x0c28a8740c27a50f (2) eap: Previous EAP request found for state 0x0c28a8740c27a50f, released from the list (2) eap: Identity does not match User-Name. Authentication failed (2) eap: Failed in handler (2) [eap] = invalid (2) } # Auth-Type EAP = invalid (2) Failed to authenticate the user (2) Using Post-Auth-Type Reject (2) Post-Auth-Type sub-section not found. Ignoring. (2) Login incorrect (Warning: Found 2 auth-types on request for user 'hostname.domain.com'): [hostname.domain.com] (from client de-sw01 port 26 cli e4-54-e8-54-4a-de) (2) Delaying response for 1.000000 seconds I imagine that having now modified the username it no longer matches its identity. I'm not sure how to remediate that. ________________________________ Miller Homes Limited Registered in Scotland - SC255429 2 Lochside View, Edinburgh Park, Edinburgh, EH12 9DH Disclaimer: The Information in this e-mail is confidential and for use by the addressee(s) only. It may also be privileged. If you are not the intended recipient please notify us immediately on +44 (0) 870 336 5000 and delete the message from your computer: you may not copy or forward it, or use or disclose its contents to any other person. We do not accept any liability or responsibility for: (1) changes made to this email after it was sent, or (2) viruses transmitted through this email or any attachment. Miller Homes Limited <https://www.millerhomes.co.uk>