Hi, Can anyone help advise if FreeRADIUS is suitable without any other changes to the existing infrastructure at my institution? If so, any advice on the best way to implement would be appreciated. I am looking at options for replacing MS NPS with basically something better that works and is debuggable. FreeRadius looks the best option. Our setup is a little complicated. Wireless users authenticate with EAP type PEAP, the inner authentication being done via MSCHAPv2. At the backend, we have a *nix based LDAP server with a particular attribute set for if a user is permitted to access the wireless network. Passwords are stored in an encrypted format. When a user binds, they can not see the resource attribute saying if they are permitted to use wireless. The LDAP information is pushed into active directory, where a wireless user group is created and populated by those who have the wireless flag set. Currently NPS authenticates against AD and checks this group. My preference would be to leave any windows stuff out of the equation. I followed a couple of online guides and have had FreeRadius successfully authenticate users against AD, however I then found something saying if I wanted to check groups I would have to use LDAP. Following the information in the Dirk van der Walt book, it states that you can bind to LDAP as a user but are limited to PAP authentication or you can read the userPassword attribute which must be plain text if MSCHAP is needed. Neither sounds suitable for what I need. Is it possible for FreeRadius to use EAP, MSCHAP, check a LDAP attribute and an encrypted password? As the password is encrypted and of little use, our LDAP expert suggested that we bind using a system account to check the account exists and has rights for wireless (I have this bit working), then to authenticate a bind is made as the user. Does this sound reasonable? Would binding to the AD server as an LDAP server offer any better avenue? As this is currently a proof-of-concept lab exercise, we do not want to make any changes to our existing infrastructure if possible. If that is required, giving users permission to see their wireless attribute in LDAP seems like the least painful. Sorry for the rambling posts, I'm in the newbie situation of being faced with many paths open to me, and not really knowing the best one to take. Yours DaveH