I'm using EAP-TLS and authentication works well. I also sanitize Called-Station-Id, Calling-Station-Id and in the same process create Called-Station-Ssid. This also works very well. This is done at first in the authorize section. My mods-config/files/authorize file has two entries as below. tlsuser Tunnel-Medium-Type = "IEEE-802", Tunnel-Private-Group-Id = "43", Tunnel-Type = "VLAN" DEFAULT Tunnel-Medium-Type = "IEEE-802", Tunnel-Private-Group-Id = "1", Tunnel-Type = "VLAN" My switches support Dynamic VLAN Assignment so this current configuration is fine. My Wifi Access Points however do NOT support it, thus I have to use a unique SSID for each VLAN. Because of that I have to check to which SSID a user is connecting to and accept or reject him based on which VLAN he's allowed to access. I tried using (note the single = in the check item!) tlsuser Called-Station-Ssid = "vlan43" Tunnel-Medium-Type = "IEEE-802", Tunnel-Private-Group-Id = "43", Tunnel-Type = "VLAN" This allows me to connect to a switch (which doesn't cause the creation of Called-Station-Ssid) but also to an access point. However, it does not prevent me connecting to a forbidden SSID. If I use == in the check item it actually does prevent me from connecting to a forbidden SSID but also from connecting through switches. So, should I use a regex in the "users" file for each user entry or should I do this with a policy using unlang? And if using unlang is advised - I think using groups is the better approach than hardcoding usernames into the code - how do I create groups which contain a) the usernames that are part of that group and b) one or more Called-Station-Ssid entries the user is allowed to connect to? I thought about arrays but I couldn't find infos if it's supported or how it's used. I actually have a perfectly working unlang code for doing what I want to achieve but that checks LDAP and I want to get rid of it since it's kind of an overkill for just assigning users into groups. Thank you very much in advance! Ben