Hallo, we are allowing access only to users with correct password (obviously), given that some conditions based on a sql query are met: server eduroam-inner-tunnel { authorize { preprocess rewrite.calling_station_id if ("%{sql:SELECT count(*) FROM ... WHERE ... AND condition1 AND condition2 AND condition3}" >= 1) { ok update control { Auth-Type := Accept } } else { reject } auth_log eap openldap mschap } authenticate { ntlm_auth Auth-Type MS-CHAP { mschap } eap } post-auth { if ( "%{outer.request:User-Name}" != "%{User-Name}" ){ reject } reply_log Post-Auth-Type REJECT { reply_log } } I't working fine, but the logs always show "Login incorrect", without detailing what caused the failure: Nov 30 15:28:50 radius1 freeradius[2248]: Login incorrect: [myuser@myorg.it] (from client foobar.myorg.it port 0 cli F8450AEFD221) I'd like to have something like: Nov 30 15:28:51 radius1 freeradius[2248]: Condition1 not met: [ myuser@myorg.it] (from client foobar.myorg.it port 0 cli F8450AEFD221) Nov 30 15:28:52 radius1 freeradius[2248]: Login incorrect: [ youruser@myorg.it] (from client foobar.myorg.it port 0 cli F8450AEFD222) Nov 30 15:28:53 radius1 freeradius[2248]: Condition2 not met: [ hisuser@myorg.it] (from client foobar.myorg.it port 0 cli F8450AEFD223) Is it possible to achieve this? Thank you very much for your help, Stefano