Hi Everybody, I found the solution to the task I described, it is quite simple. I would like to share the solution with you just in case you want the same feature in the future. I've added post-auth callback for "files" module, which actually just calls callback used for authentication. post-auth callback is called only in case we successfully authenticated and so we can use it only when Access-Accept is going to be sent. In case of Access-Challenge we did not go to this section, so that we can write configuration file like the following: "users" file: # This rule will be applied only in case RADIUS Server sends Access-Accept message, # You can add any attributes you want to be sent in Accept message, and olse # overwrite (or remove) attributes added in common rule (specified below). "oleg" Response-Packet-Type == Access-Accept, User-Password == "oleg pass" Acct-Interim-Interval := 60, Idle-Timeout := 20, Class := "Accept Class", Session-Timeout := 50, # We want Session-Timeout attribute with 50 in Access-Accept (without this line we will get 100 value, which is set in "common rule") Termination-Action := 0, Session-Timeout -= 100 # this is an example of removing attribute from Access-Accept message, which was added in common rule. # Common rule # We enter this rule any time we get Access-Request message before authentication takes place. # Here we should add a set of attributes we want to be included in Access-Challenge messages. # If you should take care about not including some of these attributes in Access-Accept messages, # you need to remove them explicitly in the previous rule. "oleg" User-Password == "oleg pass" Session-Timeout := 100 # We want Session-Timeout attribute with 100 in Access-Accept Also we should add "files" module into post-auth section - add in "radiusd.conf" file a single line: post-auth { ... # The following line is a new one. files ... } What should be added in sources: ------------------------------------------ src/modules/rlm_files/rlm_files.c Add this function: /* * Execute postauth_query after authentication */ static int file_postauth(void *instance, REQUEST *request) { return file_authorize(instance, request); } Modify the following variable: module_t rlm_files = { ... } instead of line: NULL /* post-auth */ put: file_postauth /* post-auth */ Yes, it is pretty simple. How it works: ------------------ First on "auth" action server skips the first "oleg" user entry as Response-Packet-Type is still "0", and we match the second entry. This entry should keep a set of attributes we need to include in Access-Challenge packet (in our case Session-Timeout equals to 100). When server decides that it is time to send Access-Accept message it does "post-auth" action, and in our case users file is processed again. This time Response-Packet-Type attribute is Access-Accep, so that we overwrite all the attributes set on "auth" action with new ones (using += operators). Hope that will help someone. Best Regards, Oleg. PS: I've been really delighted reading your sources - well-done work! Thank you.