Hello, I'm using freeradius 3.0.12 with rlm_ldap authentication. I configured it as suggested in README: authorize { ... ldap if ((ok || updated) && User-Password) { update control { Auth-Type := ldap } } ... } authenticate { ... Auth-Type ldap { ldap } ... } I wonder what is the best practice for user permissions. 1. in users file : DEFAULT Auth-Type := ldap, LDAP-Group == "reseau" cisco-avpair :="shell:priv-lvl=15" DEFAULT Auth-Type := Reject OR 2. in post-auth section if (LDAP-Group == "reseau") { update reply { cisco-avpair :="shell:priv-lvl=15" } } else { reject } Could someone give me an explanation of the best way to go ? Best regards, Sam