hege wrote: > 1. The ldap don't replace(expand) the calling-station-id to the mac > address, just one time(first) No. *Outside* of the TLS tunnel, the Calling-Station-Id exists. *Inside*, it doesn't. Set "copy_request_to_tunnel = yes" in eap.conf, "peap" sub-section. This is documented. Alan DeKok.