The problem is that all the users are valid and SQL module returns OK replyattribute list is empty, so I need somehow reject the user I did some dirty workaround if (!reply:Service-Type) { # reply list does not contain Service-Type reject } See in debug output a valid user with valid password comes from wrong NAS-IP-Address which does not belong to check attributes of the user's group ++[sql] returns ok ++? if (!reply:Service-Type) ? Evaluating !(reply:Service-Type) -> FALSE ++? if (!reply:Service-Type) -> TRUE ++- entering if (!reply:Service-Type) +++[reject] returns reject ++- if (!reply:Service-Type) returns reject Found Post-Auth-Type Reject +- entering group REJECT The problem is that I do not want to rely that reply list always contains Service-Type reply:Service-Type The SQL module returns OK even if there are no reply attributes Thanks again -- View this message in context: http://www.nabble.com/authorization%3A-unlang-NAS-IP-Address-tp18609937p1861... Sent from the FreeRadius - User mailing list archive at Nabble.com.