Hi, I use freeradius-3.0.12 on centos 7.3 with an openldap 2.4 and a samba attribute EAP / PEAP authentication MSCHAPV2. I want to authentificate and authorize users according to their attribute on the LDAP. I created an attribute LDAP-Desc mapped with the field eduPersonPrimaryAffilation on my LDAP. I want to put user on specific VLAN if they are students, employee .... or outer people. For that I use in the inner-tunnel the capabilities to return AVP like Tunnel-Private-Group-Id with the good value . It's work very well, for internal and also for external people. I tested also the realm value in the default server and I put also the good Tunnel-Private-Group-Id depending the value of realm. It's work with device like smartphone, pc ... and also with the command. eapol_test -c afile -p1812 -smysecret -r1 Everything seems good but not when I use radtest command I can't authentificate internal or external people with the test command radtest [root@freeradius-3-a test]# radtest 'teststudent' 'a1z2e3r4*' localhost 1812 mysecret Sent Access-Request Id 154 from 0.0.0.0:54585 to 127.0.0.1:1812 length 81 User-Name = "teststudent" User-Password = "a1z2e3r4*" NAS-IP-Address = 195.83.247.135 NAS-Port = 1812 Message-Authenticator = 0x00 Cleartext-Password = "a1z2e3r4*" Received Access-Reject Id 154 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject nor radtest -t mschap 'teststudent' 'a1z2e3r4*' 127.0.0.1:18120 1 mysecret I got ot@freeradius-3-a test]# radtest -t mschap 'teststudent' 'secret' 127.0.0.1:18120 1 mysecret Sent Access-Request Id 129 from 0.0.0.0:34088 to 127.0.0.1:18120 length 137 User-Name = "teststudent" MS-CHAP-Password = "a1z2e3r4*" NAS-IP-Address = 195.83.247.135 NAS-Port = 1 Message-Authenticator = 0x00 Cleartext-Password = "secret" MS-CHAP-Challenge = 0x3a7dd0c59a922170 MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000ae872e407e206d5579b1515fbf4e92f594e5c5e66739c6e7 Received Access-Reject Id 129 from 127.0.0.1:18120 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject Perhaps the problem comes from /etc/raddb/mods-enabled/mschap files and I tried differents values with no good results. mschap { with_ntdomain_hack = no #authtype = MS-CHAP allow_retry = yes use_mppe=yes require_encryption = yes require_strong = yes ..... I am not sure about the good values needing for this section. I would like to have an advice before using this configuration in production environment. here a debug with a Successful results Thanks in advance for you help PS: sorry for my english I hope it's comprehensible. -- Michel Villeneuve Tel 02 98 01 71 61