Hi, I like the simplicity of being able to use the rlm_files authorize file to manage collections of clients by AD group membership. Using Samba winbind presents AD as local Linux accounts and groups. The following example is where I've defined clients with shortname set as checkpoint_gaia: DEFAULT FreeRADIUS-Client-Shortname == "checkpoint_gaia", Group == "checkpoint_gaia_view" CP-Gaia-User-Role = "monitorRole", CP-Gaia-SuperUser-Access = "0" DEFAULT FreeRADIUS-Client-Shortname == "checkpoint_gaia", Group == "checkpoint_gaia_full" CP-Gaia-User-Role = "adminRole", CP-Gaia-SuperUser-Access = "1" DEFAULT FreeRADIUS-Client-Shortname == "checkpoint_gaia", Auth-Type := Reject Reply-Message = "Access Denied - Not a member of any checkpoint_gaia security groups" DEFAULT Auth-Type := Reject Reply-Message = "Access Denied" I needed to therefor change the username before running files in authorize. My current mess is this: authorize { <snip> update request {FreeRADIUS-Client-Shortname = "%{Client-Shortname}"} if (User-Name =~ /^cccccctcikej[cbdefghijklnrtuv]{32}$/) {update request {sAMAccountName = "davidh"}} if (User-Name =~ /^cccccctcikff[cbdefghijklnrtuv]{32}$/) {update request {sAMAccountName = "philipo"}} if (&sAMAccountName) {update request {Yubikey-OTP = "%{User-Name}"}} <snip> if (&sAMAccountName) {update request {User-Name := "%{sAMAccountName}"}} files if (&sAMAccountName) {update request {User-Name := "%{Yubikey-OTP}"}} <snip> post-auth { if (&sAMAccountName) {update request {User-Name := "%{sAMAccountName}"}} Logs subsequently record usernames instead of 44 char token codes. Login OK: [davidh] (from client checkpoint_gaia port 0 cli 192.168.1.77) src:100.127.255.10 nas-ip:1 nas-id:router I would prefer to look up the token identifier (first 12 chars) in a file, but don't know yet how to select a portion of an attribute to do that. My next puzzle is how to call the yubikey module. I'd naively thought I could stick it in post-auth, to do some kind of late reject. Most probably need to spend some time trawling the web to find out how to trigger the yubikey auth after mschap... Regards David Herselman