Hello, I could succesfully use EAP-TTLS with kerberos authentication. my problem now is that in this way also users who have a certificate can authenticate. I would like only users with kerberos credentials to being able to authenticate in my users file I have DEFAULT Auth-Type = Kerberos in this way any EAP-TLS with a valid certificate can authenticate while I do not want people to use the certificate, because the only method I wish to allow is login/password on kerberos server. There is a way to do it ? To allow ONLY kerberos via EAP-TTLS ? I Tryed with a Auth-Type := Reject but with no luck.. So what I did is this. I wrote this users file: "user1" Auth-Type = Kerberos DEFAULT Auth-Type := Reject in this case the user called user1 can authenticate with Kerberos credential and he cannot authenticate if it has a certificate, this as I Wantet but THIS WORKS only for user1 I want to do it for all users in the Kerberos database, and I do not like to write all the usernames in the users file. If I use DEFAULT instead of "user1" in the line above it does not work ... Please maybe there is a hint which could help me ? thanks Rick