Hello I was wondering if there would be any complaints if the PRE_PROXY and POST_PROXY methods in the rlm_ldap module were added to call mod_authorize in rlm_ldap.c extern module_t rlm_ldap; module_t rlm_ldap = { .magic = RLM_MODULE_INIT, .name = "ldap", .inst_size = sizeof(rlm_ldap_t), .config = module_config, .bootstrap = mod_bootstrap, .instantiate = mod_instantiate, .detach = mod_detach, .methods = { [MOD_AUTHENTICATE] = mod_authenticate, [MOD_AUTHORIZE] = mod_authorize, [MOD_ACCOUNTING] = mod_accounting, [MOD_POST_AUTH] = mod_post_auth, #ifdef WITH_PROXY [MOD_PRE_PROXY] = mod_authorize, [MOD_POST_PROXY] = mod_authorize, #endif }, }; As that means I can inject some extra VSA's in a Access-Accept back to the Client. I'm currently rebuilding a hosted Radius Proxy service that sends a very stripped down list of attributes to the end customer which rlm_attr_filter deals nicely to in pre-proxy, but based on the accept I want to inject a whole lot of L2TP realm specific VSAs before the response goes back to the NAS that the end customer has no idea of. I had thought if I had added in the valuepair_attribute I could add proxy-reply: but in the authorize section I get an error as it's invalid in this context: (1) ldap: control:Proxy-To-Realm := "Group1" (1) ldap: WARNING: List "proxy-reply" is not available (1) ldap: ERROR: Mapping "L2TP" -> "proxy-reply:Tunnel-Type:2" invalid in this context (1) ldap: WARNING: Failed adding "proxy-reply:Tunnel-Type:2 = L2TP" to request, skipping... But in post-proxy it's happy with that attribute: (1) # Executing section post-proxy from file /appl/freeradius/30x/etc/raddb/sites-enabled/default (1) post-proxy { rlm_ldap (ldap): Reserved connection (3) (1) ldap: EXPAND (cn=%{Realm}) (1) ldap: --> (cn=customer) (1) ldap: Performing search in "o=identities" with filter "(cn=customer)", scope "sub" (1) ldap: Waiting for search result... (1) ldap: User object found at DN "cn=customer,ou=Realms,ou=Proxy,o=Identities" (1) ldap: Processing user attributes (1) ldap: control:Proxy-To-Realm := "Group1" (1) ldap: proxy-reply:Tunnel-Type:2 = L2TP Adding the MOD_PRE/POST_PROXY works for me pointing to mod_authorize, but not sure it's generally an acceptable way to achieve it. Cheers Peter