--- a/raddb/policy.d/accounting
+++ b/raddb/policy.d/accounting
@@ -34,7 +34,7 @@
 	#
 	if("%{string:Class}" =~ /${policy.class_value_prefix}([0-9a-f]{32})/i) {
 		update request {
-			Acct-Unique-Session-Id := "%{md5:%{1},%{Acct-Session-ID}}"
+			&Acct-Unique-Session-Id := "%{md5:%{1},%{Acct-Session-ID}}"
 		}
 	}
 
@@ -46,7 +46,7 @@
 	#
 	else {
 		update request {
-			Acct-Unique-Session-Id := "%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}"
+			&Acct-Unique-Session-Id := "%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}"
 		 }
 	}
 }
@@ -65,8 +65,8 @@
 #
 acct_counters64.preacct {
 	update request {
-		Acct-Input-Octets64 = "%{expr:(%{%{Acct-Input-Gigawords}:-0} * 4294967296) + %{%{Acct-Input-Octets}:-0}}"
-		Acct-Output-Octets64 = "%{expr:(%{%{Acct-Output-Gigawords}:-0} * 4294967296) + %{%{Acct-Output-Octets}:-0}}"
+		&Acct-Input-Octets64 = "%{expr:(%{%{Acct-Input-Gigawords}:-0} * 4294967296) + %{%{Acct-Input-Octets}:-0}}"
+		&Acct-Output-Octets64 = "%{expr:(%{%{Acct-Output-Gigawords}:-0} * 4294967296) + %{%{Acct-Output-Octets}:-0}}"
 	}
 }
 
--- a/raddb/policy.d/eap
+++ b/raddb/policy.d/eap
@@ -76,7 +76,7 @@
 remove_reply_message_if_eap {
 	if(reply:EAP-Message && reply:Reply-Message) {
 		update reply {
-			Reply-Message !* ANY
+			&Reply-Message !* ANY
 		}
 	}
 	else {
--- a/raddb/radiusd.conf.in
+++ b/raddb/radiusd.conf.in
@@ -415,8 +415,8 @@
 	#  member.  This can allow for some finer-grained access
 	#  controls.
 	#
-#	user = radius
-#	group = radius
+	user = radius
+	group = radius
 
 	#  Core dumps are a bad thing.  This should only be set to
 	#  'yes' if you're debugging a problem with the server.
--- a/raddb/sites-available/default
+++ b/raddb/sites-available/default
@@ -314,9 +314,9 @@
 	#  for the many packets that go back and forth to set up TTLS
 	#  or PEAP.  The load on those servers will therefore be reduced.
 	#
-	eap {
-		ok = return
-	}
+#	eap {
+#		ok = return
+#	}
 
 	#
 	#  Pull crypt'd passwords from /etc/passwd or /etc/shadow,
@@ -457,7 +457,7 @@
 
 	#
 	#  Allow EAP authentication.
-	eap
+#	eap
 
 	#
 	#  The older configurations sent a number of attributes in
@@ -748,7 +748,7 @@
 		# Insert EAP-Failure message if the request was
 		# rejected by policy instead of because of an
 		# authentication failure
-		eap
+#		eap
 
 		#  Remove reply message if the response contains an EAP-Message
 		remove_reply_message_if_eap
@@ -817,7 +817,7 @@
 	#  hidden inside of the EAP packet, and the end server will
 	#  reject the EAP request.
 	#
-	eap
+#	eap
 
 	#
 	#  If the server tries to proxy a request and fails, then the
--- a/raddb/sites-available/inner-tunnel
+++ b/raddb/sites-available/inner-tunnel
@@ -116,9 +116,9 @@
 	#  for the many packets that go back and forth to set up TTLS
 	#  or PEAP.  The load on those servers will therefore be reduced.
 	#
-	eap {
-		ok = return
-	}
+#	eap {
+#		ok = return
+#	}
 
 	#
 	#  Read the 'users' file
@@ -227,7 +227,7 @@
 
 	#
 	#  Allow EAP authentication.
-	eap
+#	eap
 }
 
 ######################################################################
@@ -380,7 +380,7 @@
 	#  hidden inside of the EAP packet, and the end server will
 	#  reject the EAP request.
 	#
-	eap
+#	eap
 
 	#
 	#  If the server tries to proxy a request and fails, then the