Hey all! First off, sorry for the noob questions. I've been reading the docs and previous mailing posts, but I'm still a little unclear on some things and wanted to run something by the list first for a sanity check/to see if there's a better way of doing this. I store NASes in MySQL and user accounts in LDAP (if necessary, this can be changed to store NASes in LDAP as well). I want to only allow users to authenticate if they're coming from a specific NAS associated with their account. 1.) What would be the most appropriate attribute for this in LDAP? Accounts currently have the following objectClasses: account, extensibleObject, radiusprofile, simpleSecurityObject, top. I'm thinking radiusClientShortname (since this attribute wouldn't have a "meaningful" association for radiusprofile but is available for use via extensibleObject objectClass - I would store the NASes in a separate base DN from the users). 2.) Can I even use the ${shortname} macro in a raddb/mods-available/ldap:ldap{user{filter=}} context? I would *assume* so since the NAS handling is done before the authentication handling, but assumptions are a bad thing to operate off of. The unlang documentation indicates I can't use unlang in this context, which is fine since I can just incorporate it into the LDAP filter, but I'm having some difficulty finding which macros are available where. 3.) Is there a better way to do this (preferably without duplicating NAS entries)? Ideally without using huntgroups or the like, which is how I usually see this sort of functionality achieved. -- brent saner https://square-r00t.net/ GPG info: https://square-r00t.net/gpg-info