Hi list, we're using for OPT authentification a Vasco Identikey server. Unfortunately the software is rather limited, e.g. it is not possible to define access rules based on groups. The server is able to perform a RADIUS password challenge but only as "PIN and OTP are correct" - not exactly the kind of authentication I expected... The only way to get something like grouping with this product is out-sourcing to the client: Vasco cann add a filter-id attribute to the response, if the client is capable of interpreting such responses it is possible to group users (though with strings on a per-user base). As we plan to use the OTP tokens to secure our SSH service I searched for a method to authorize users not only with RADIUS but additionally the feature to check for specific filter-ids in the response - it seems no one has ever implemented such a thing. Anyway, I extended pam_radius* so it is possible to use filter-ids for authentication - the patches for 1.3.17 are attached. Would an extension like this useful for the vanilla release of pam_radius? Greetings Renke *) I am _not_ a programmer, the stuff I changed should be checked/rewritten/used only as concept...