One interesting benefit of XAUTH (or rather so-called legacy authentication schemes) is that you can revoke user from the RADIUS database very quickland reliably - for sure much faster and simpler than dealing with CRLs in it's current state of PKI. Slava Kavsan IRE