hi, do you want to authorise using the e-directory (authorize is are they allowed from that NAS at that time etc....)... surely you only want to authenticate based on the inner EAP details too..
if you use 2.1.x then you can ensure that EAP methods get thrown to the inner-tunnel - and have your LDAP authentication in the inner tunnel - then LDAP is only called when its needed... likewise authorise. only call LDAP when you really believe the details and need to likewise, only call a module if you need to - you should be able to vastly reduce calls to your backend infrastructure (i know we did!) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html