Hi, On a related note, it occurred to me that I should most probably be sanitising incoming attributes? If the request arrived with sAMAccountName it would then override what I'm setting... Or is it safe, in that there's little point in trying to scrub this if the initiator of the request is compromised? In reference to: update request {FreeRADIUS-Client-Shortname = "%{Client-Shortname}"} if (User-Name =~ /^cccccct00001[cbdefghijklnrtuv]{32}$/) {update request {sAMAccountName = "davidh"}} if (User-Name =~ /^cccccct00002[cbdefghijklnrtuv]{32}$/) {update request {sAMAccountName = "philipo"}} if (&sAMAccountName) { update request {Yubikey-OTP = "%{User-Name}"} update control {Auth-Type := "YubiCHAP"} } Regards David Herselman