Hi Alan, I run the same config (as previous post) which works as you indicated (and Ivan) with radtest however when I use a windows client this is what I get.... and the rearrangement of the username rad_recv: Access-Request packet from host 10.0.1.9 port 1645, id=203, length=139 User-Name = "****\\raduser" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-13-19-EE-6F-11" Calling-Station-Id = "00-15-C5-02-39-99" EAP-Message = 0x02020011014e494e545c72616475736572 Message-Authenticator = 0xfb84a2ca75668b069afe6577aef9a486 NAS-Port-Type = Ethernet NAS-Port = 50117 NAS-IP-Address = 10.0.1.9 +- entering group authorize ++[preprocess] returns ok perl_pool: item 0x2acfd70 asigned new request. Handled so far: 1 found interpetator at address 0x2acfd70 rlm_perl: RAD_REQUEST: NAS-Port-Type = Ethernet rlm_perl: RAD_REQUEST: Service-Type = Framed-User rlm_perl: RAD_REQUEST: Calling-Station-Id = 00-15-C5-02-39-99 rlm_perl: RAD_REQUEST: Called-Station-Id = 00-13-19-EE-6F-11 rlm_perl: RAD_REQUEST: Message-Authenticator = 0xfb84a2ca75668b069afe6577aef9a486 rlm_perl: RAD_REQUEST: User-Name = ****\\raduser rlm_perl: RAD_REQUEST: EAP-Message = 0x02020011014e494e545c72616475736572 rlm_perl: RAD_REQUEST: NAS-IP-Address = 10.0.1.9 rlm_perl: RAD_REQUEST: NAS-Port = 50117 rlm_perl: RAD_REQUEST: Framed-MTU = 1500 rlm_perl: Added pair NAS-Port-Type = Ethernet rlm_perl: Added pair Service-Type = Framed-User rlm_perl: Added pair Calling-Station-Id = 00-15-C5-02-39-99 rlm_perl: Added pair Called-Station-Id = 00-13-19-EE-6F-11 rlm_perl: Added pair Message-Authenticator = 0xfb84a2ca75668b069afe6577aef9a486 rlm_perl: Added pair User-Name = ****\\raduser rlm_perl: Added pair EAP-Message = 0x02020011014e494e545c72616475736572 rlm_perl: Added pair NAS-IP-Address = 10.0.1.9 rlm_perl: Added pair NAS-Port = 50117 rlm_perl: Added pair Framed-MTU = 1500 perl_pool total/active/spare [32/0/32] Unreserve perl at address 0x2acfd70 ++[perl] returns updated ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "****\ aduserr", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_ldap: Entering ldap_groupcmp() expand: dc=ads,dc=nint,dc=org -> dc=ads,dc=nint,dc=org expand: (sAMAccountname=%{mschap:User-Name:-%{User-Name}}) -> (sAMAccountname= aduserr) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=***,dc=****,dc=***, with filter (sAMAccountname= aduserr) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=***,dc=****,dc=***, with filter (sAMAccountname= aduserr) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler ++[eap] returns invalid auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [****\\\raduser] (from client switch-man-lan port 50117 cli 00-15-C5-02-39-99) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> ****\ aduserr attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 203 to 10.0.1.9 port 1645 Finished request 1.