Hi List, It's a bit naive question, just to keep concepts clear. I want to use the "dialupAccess" attribute to enable or disable one user/host to login. So if "dialupAccess : disabled", the user/host is rejected. I've one ldap instance with: # # Group membership checking. Disabled by default. # groupname_attribute = dialupAccess groupmembership_filter = "(objectClass=radiusProfile)(uid=%u)" groupmembership_attribute = dialupAccess In users: ############################################################################ ###### ## Disabled accounts in LDAP ############################################################################ ###### DEFAULT Ldap-Group==disabled, Auth-Type := Reject Reply-Message := "FAIL: Account disabled. Please call helpdesk.", Fall-Through = no ############################################################################ ###### Matchs the idea?, or should be done in a different way? Thanks.