Hello, I'm using freeradius 1.0.4 with openldap 2.2.24 to authenticate users on cisco switches. Every switch belongs to a specific group and for every user I'm setting the groups he can access. I also use cisco avpairs for level privilege. So far , so good! The problems occured when I tried to make a user to have different level privileges on different switches . This is the profile I'm using : # test, radius, isp.ro dn: uid=test,ou=radius,dc=isp,dc=ro uid: test objectClass: radiusprofile cn: test userPassword:: xxx radiusGroupName: bucuresti radiusGroupName: valcea radiusServiceType: NAS-Prompt-User # bucuresti, test, radius, isp.ro dn: cn=bucuresti,uid=test,ou=radius,dc=isp,dc=ro uid: test objectClass: radiusprofile userPassword:: xxx radiusGroupName: bucuresti radiusServiceType: NAS-Prompt-User radiusCiscoLevel: "shell:priv-lvl=15" cn: bucuresti # valcea, test, radius, isp.ro dn: cn=valcea,uid=test,ou=radius,dc=isp,dc=ro uid: test objectClass: radiusprofile userPassword:: xxx radiusGroupName: valcea radiusServiceType: NAS-Prompt-User radiusCiscoLevel: "shell:priv-lvl=7" cn: valcea raddb/users # Switch 192.168.50.202 # Descriere test DEFAULT NAS-IP-Address == 192.168.50.202, Ldap-Group == bucuresti Fall-Through = no DEFAULT Auth-Type := Reject what I need is to filter the ldap search in authorize section based on GroupName and I don't know how. -- ................................................................ Mircea Harapu Abuse Engineer, RDS NOC in Bucharest t: 021-301.08.50 f: 021-301.08.51 e: mircea.harapu@rcs-rds.ro w: www.rdslink.ro ................................................................ Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such a case, you should destroy this message and kindly notify the sender by reply e-mail.