Currently I have several if()s in authorize{} before eap and I think I can not move it past EAP call But during EAP authentication I see this logic gets executed 8(!) times in -X debug session. Can I wrap those if()s into some rule like "If session is new, then execute wrapped logic, else - just bypass wrapped block"? authorize { if (!(&NAS-Port-Type && &NAS-Port-Type == Wireless-802.11)) { update request { &Module-Failure-Message += 'Rejected: NAS-Port-Type is not Wireless-802.11.' } reject } rewrite_called_station_id if (!Called-Station-SSID) { update request { &Module-Failure-Message += 'Rejected: No SSID in Called-Station-Id' } reject } if ("%{client:vlan_for_%{Called-Station-SSID}}") { update session-state { Tunnel-Type := VLAN # rfc3580 Tunnel-Medium-Type := IEEE-802 #rfc2628 Tunnel-Private-Group-Id := "%{client:vlan_for_%{Called-Station-SSID}}" # string, rfc2628 } } else { update request { &Module-Failure-Message += "Rejected: No vlan_for_%{Called-Station-SSID} defined for client %{client:shortname}" } reject } if (!(&User-Name)) { update request { &Module-Failure-Message += 'Rejected: User-Name not provided.' } reject } eap_wifi { ok = return updated = return } } authenticate { eap_wifi }