I have been experimenting with something like this and found you can (mis)use the hints file to do something like this: DEFAULT Hint = `%{ldap:ldap:///ou=hosts,dc=demo,dc=org?radiusHuntgroupName?one?ipHostNu mber=%{NAS-IP-Address}}` If you want you can use Huntgroup-Name insttead of hint. in that case, you should add a default, otherwise Huntgroup-Name gets set to "". DEFAULT Huntgroup-Name = `%{ldap:ldap:///ou=hosts,dc=demo,dc=org?radiusHuntgroupName?one?ipHostNu mber=%{NAS-IP-Address}:-None}` In this case, Huntgroup-Name gets set to None if it isn't found in ldap. Some caveats: The huntgroup file will not be processed if Huntgroup-Name exists already. Since hints is processed before huntgroups that will be the case. Hints does not implement fallthrough - you get one match only. If you want to process usernames too, instantiate another instance. Another approach I have used is similar to your solution. i used rules in users like this: DEFAULT Ldap-Group == `%{Huntgroup-Name}` Access-Level := RW, Service-Type = Administrative-User, Cisco-AVPair := "shell:priv-lvl=15", Passport-Command-Impact = configuration The huntgroups are defined in the huntgroups file, or could be defined as above; users are put into groups corresponding to the huntgroup names. You can also generate pseudo groups like this: DEFAULT Ldap-Group == `%{Huntgroup-Name}_RO` Access-Level := RO, Service-Type = Nas-Prompt-User So a user in radius group sydney_RO gets Readonly access to devices in huntgroup sydney For this to work you need to apply a patch I submitted in the list some time ago, otherwise the substitution works only once. regards Frank Ranner ________________________________ From: freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freeradius.or g [mailto:freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freer adius.org] On Behalf Of Jonathan De Graeve Sent: Tuesday, 17 October 2006 01:18 To: freeradius-users@lists.freeradius.org Subject: Huntgroupname checkitem in LDAP Hello, i'm looking for a way to have my huntgroups defined in LDAP similar to the way they are in SQL. For example if a user belongs to Ldap-Group vpn, the Group in ldap contains an attribute containing the huntgroup names which the Group gives access to. I tried adding 'checkItem Huntgroup-Name' info to my ldap.attrmap with attribute 'info' having value: '=~ ^(vpn|sslvpn)$' (without succes) I had success with the following setup: In users: DEFAULT Huntgroup-Name == vpn, Ldap-Group == vpn Fall-Through = no DEFAULT Huntgroup-Name == sslvpn, Ldap-Group == sslvpn Fall-Through = no DEFAULT Auth-Type := Reject This allows to specify which user has access to which nasgroup by adding groupmemberships to the user. But it breaks the users existing in SQL. I could off course also add the specific SQL-Groups into the users file but this would still require a reorganisation of the SQL users since they only have a Huntgroup-Name attribtue for there grouplevel which specifies multiple huntgroups by using regexp. I'm kinda stuck in how to implement it. Any advice would be greatly appreciated. J.