I'm trying to finally rid myself of Cisco ACS with FR 1.1.3 and mostly having great success (performance is so much better!) but can't seem to figure out how to handle two different types of wireless authentication in separate non-overlapping ways. Case 1 is EAP/TLS where user ID (email address from cleint cert) is also looked up via LDAP. Case 2 is MAC authentication using the users file. I have both of these working with one issuse, MACs that are not in the users file are being sent to LDAP server adding unnecessary load. authorize { preprocess files ldap { notfound = return } eap } The solution I can think of is to only send user name's that are email addresses to ldap. Is this something that can be done with a proxy conf and realms? I'm having trouble understanding if/how those can influence the authorize section. Thanks, -Keith ------------------------------------------------------------------------ Keith Moores <mailto:kmm6b@virginia.edu> Network Systems ITC-Communications and Systems Division University of Virginia, ITC-2015 Ivy Rd Phone (434) 924-0621 Box 400324, Charlottesville, VA 22904-4324 Fax (434) 982-4715