I've got (what I believe is) an interesting engineering problem to solve. I'm going to oversimplify our problem a bit, so for simplicity sake, we use "Auth-Type := Local" right now with a username and password. We're deploying a new certificate-based method now, and I want to figure out the best way to intergrate the two methods. The problem is that the NAS (Cisco 3000) does the certificate authentication, but then queries radiusd server for *authorization* only. Essentially with doing certificate-based authentication, the NAS sends: User-Name = "geoff" User-Password = "geoff" NAS-Port = 1016 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = "10.1.2.99" Calling-Station-Id = "10.0.33.224" Tunnel-Client-Endpoint:0 = "10.0.33.224" NAS-IP-Address = 10.0.32.138 NAS-Port-Type = Virtual whereas when it's doing regular authentication, it sends the same thing as above, except User-Password = "mysecretpassword". There are no configuration options in the NAS to either restrict the NAS-Port that gets used (ie. cert auth would use ports 1-1000 and regular auth would use 1001-2000), nor is there a way to *apply* a realm to a request (only to strip the realm from the request, which doesn't help me). The only thing the NAS can do that is "helpful" is send cert auth requests to a different UDP port than regular auth requests. To do the first method, I can use 'Auth-Type := Local' and just set the User-Password attribute to the User-Name, or I can use 'Auth-Type := Accept'. Either works just fine, since the NAS is only requesting authorization (ie. is this user in the users file for our NAS). However, because the password it sends is the username, I can't just put two entries in the users file, since anyone doing the "old-style" username/password auth could just enter their username as their password and get access (or more appropriately, joe hacker could user someone's username as that user's password to get unauthorized access). The same NAS is used for both certificate and password auth, so I can't restrict access via the NAS. Also, the same attributes are sent for regular authentication, so I can't differentiate. As mentioned above, I *can* force the NAS to use a different UDP port based on the auth method (ie. certificate auth goes to port 1812 while old-stlye auth goes to port 1645), but I can't tell if there's a way to get radiusd to listen on multiple UDP ports, or if there's a way to determine which UDP port was used in the connection when doing auth (I noticed a Packet-Src-Port attribute in the freeradius.internal dictionary, but I can't tell if there's a way I can use that in the users file). I'm hoping someone might have some insight into the above paragraph. "You'll need to add that" is reasonable insight, so long as that's my only answer - I'm just hoping I can avoid doing that. Thanks!