Hello, Unfortunately, I tried your proposals this morning with non success : I've got this error during last challenge : # prise en compte du compte myuser myuser Auth-Type := Accept Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, #Tunnel-Private-Group-ID = "407", Tmp-String-1 = "407" innertunnel authorize { .... # # Read the 'users' file files if (&request:User-Name == "myuser") { update { # &Cleartext-Password = &request:User-Name &control:SMB-Account-CTRL-TEXT := '[N]' &reply:MS-CHAP2-Success = 'password-free' } } .... rlm_ldap (ldap): Reserved connection (0) (10) ldap: EXPAND (uid=%{mschap:User-Name}) (10) ldap: --> (uid=anonymous) (10) ldap: Performing search in "dc=insa-rennes,dc=fr" with filter "(uid=anonymous)", scope "sub" (10) ldap: Waiting for search result... (10) ldap: Search returned no results rlm_ldap (ldap): Released connection (0) (10) [ldap] = notfound (10) [expiration] = noop (10) [logintime] = noop (10) [pap] = noop (10) } # authorize = ok (10) Found Auth-Type = eap (10) # Executing group from file /etc/freeradius/sites-enabled/default (10) authenticate { (10) eap: Removing EAP session with state 0xf1f3b91af8dda0ab (10) eap: Previous EAP request found for state 0xf1f3b91af8dda0ab, released from the list (10) eap: Peer sent packet with method EAP PEAP (25) (10) eap: Calling submodule eap_peap to process data (10) eap_peap: (TLS) EAP Done initial handshake (10) eap_peap: Session established. Decoding tunneled attributes (10) eap_peap: PEAP state send tlv success (10) eap_peap: Received EAP-TLV response (10) eap_peap: Client rejected our response. The password is probably incorrect (10) eap_peap: ERROR: We sent a success, but the client did not agree (10) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (10) eap: Sending EAP Failure (code 4) ID 46 length 4 (10) eap: Failed in EAP select (10) [eap] = invalid (10) } # authenticate = invalid (10) Failed to authenticate the user (10) Using Post-Auth-Type Reject (10) # Executing group from file /etc/freeradius/sites-enabled/default (10) Post-Auth-Type REJECT { That's what Brian expected :( => server is ok but client don't Any other way to reach my goal ? Thanks -- Cédric Delaunay Equipe Infrastructures / Direction du Système d'Information RSSI Suppléant Tél. : +33 (0)2 23 23 8568 INSA Rennes 20 avenue des Buttes de Coësmes CS 70839 - 35 708 RENNES Cedex 7 De: "Cedric Delaunay" <cedric.delaunay@insa-rennes.fr> À: "freeradius-users" <freeradius-users@lists.freeradius.org> Envoyé: Jeudi 2 Avril 2026 21:41:09 Objet: Re: 802.1X - ldap AND users file Hello, Thanks for your answers, I will look at this as soon as possible Cédric -- Cédric Delaunay Equipe Infrastructures / Direction du Système d'Information RSSI Suppléant Tél. : +33 (0)2 23 23 8568 INSA Rennes 20 avenue des Buttes de Coësmes CS 70839 - 35 708 RENNES Cedex 7 De: "Cedric Delaunay" <cedric.delaunay@insa-rennes.fr> À: freeradius-users@lists.freeradius.org Envoyé: Mercredi 1 Avril 2026 17:22:58 Objet: 802.1X - ldap AND users file Hello List, Network Wired Project running here. Devices users authenticate successfully using peap/mschapV2 and ldap backend outer identity is configured as anonymous I'd like to find how to force "accept" for a special user, based on "mods-config/files/authorize" file - user is logged-in on device so that is real username is kown only by inner-tunnel - user isn't known by ldap (that's why I try with "users" file) - user's password may change so that I don't want to check it "users" entry looks like : myuser Auth-Type := Accept Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, #Tunnel-Private-Group-ID = "407", Tmp-String-1 = "407" Tmp-String-1 is used by default/post-auth section as it : update reply { Tunnel-Private-Group-Id := "%{reply:Tmp-String-1}" } files module is enabled in inner tunnel/authorize My problem : I cant see "accept" during inner-tunnel (after authorize file module) (9) files: users: Matched entry myuser at line 99 (9) [files] = ok (9) } # authorize = ok (9) Found Auth-Type = Accept (9) Auth-Type = Accept, accepting the user (9) # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel but next challenge says (10) eap_peap: ERROR: We sent a success, but the client did not agree (10) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed Il don't know what is the best way to achieve this. Any idea ? Thanks -- : Cédric Delaunay Service Infrastructure Systèmes et Réseaux / Direction du Système d'Information Admin Réseau / RSSI Suppléant Tel. : +33 (0)2 23 23 8568 INSA Rennes 20 avenue des Buttes de Coêsmes CS 70839 - 35 708 RENNES Cedex 7 [ http://www.insa-rennes.fr/ | www.insa-rennes.fr ]