Hi all, I need to enable some users to login on different groups of CISCO devices getting different shell:priv-lvl. I'm trying to group the devices by their ip using a dynamic-clients template. I'd like to send them to a different virtual server based on source network of the auth request. Then I'd like to be able to choose which shell:priv-lvl give them using LDAP attributes like "o=groupA-shellPriv15" or "o=groupA-shellPriv7". I'm trying to achieve the first result using a configuration like this one: client my-dynclient { ipaddr = 10.200.20.0/24 dynamic_clients = my-dynclients lifetime = 3600 } server my-dynclients { authorize { if ("%{ldap:ldap:///BASEDN?objectClass?one?(radiusClientIdentifier=%{Packet-Src-IP-Address})}") { update control { &FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}" &FreeRADIUS-Client-Shortname = "%{ldap:ldap:///BASEDN?radiusClientShortname,objectClass?one?(radiusClientIdentifier=%{Packet-Src-IP-Address})}" &FreeRADIUS-Client-Secret = "%{ldap:ldap:///BASEDN?radiusClientSecret,objectClass?one?(radiusClientIdentifier=%{Packet-Src-IP-Address})}" &FreeRADIUS-Client-Virtual-Server = "%{ldap:ldap:///BASEDN?radiusClientVirtualServer,objectClass?one?(radiusClientIdentifier=%{Packet-Src-IP-Address})}" } } ok } } when trying the login, the if condition succeeds: Fri Jan 12 16:12:57 2018 : Debug: rlm_ldap (ldap): Bind successful Fri Jan 12 16:12:57 2018 : Debug: (0) EXPAND %{ldap:ldap:///BASEDN?objectClass?one?(radiusClientIdentifier=%{Packet-Src-IP-Address})} Fri Jan 12 16:12:57 2018 : Debug: (0) --> radiusClient Fri Jan 12 16:12:57 2018 : Debug: (0) if ("%{ldap:ldap:///BASEDN?objectClass?one?(radiusClientIdentifier=%{Packet-Src-IP-Address})}") -> TRUE Fri Jan 12 16:12:57 2018 : Debug: (0) if ("%{ldap:ldap:///BASEDN?objectClass?one?(radiusClientIdentifier=%{Packet-Src-IP-Address})}") { Fri Jan 12 16:12:57 2018 : Debug: (0) update control { Fri Jan 12 16:12:57 2018 : Debug: (0) EXPAND %{Packet-Src-IP-Address} Fri Jan 12 16:12:57 2018 : Debug: (0) --> 10.200.20.79 Fri Jan 12 16:12:57 2018 : Debug: (0) &FreeRADIUS-Client-IP-Address = 10.200.20.79 Fri Jan 12 16:12:57 2018 : ERROR: (0) Bad attributes list in LDAP URL. URL must specify exactly one attribute to retrieve even if I get for the first time: "Bad attributes list in LDAP URL. URL must specify exactly one attribute to retrieve". While retrieving FreeRADIUS-Client-Shortname, FreeRADIUS-Client-Secret and FreeRADIUS-Client-Virtual-Server I got empty values and the same error about LDAP URL. I'm not sure about the debug message, I read that it is not possible to get just the value you need using an LDAP uri and no further filtering: am I wrong? Previously I did try to decide which privilege level send as a radiusReply by scanning the LDAP in a similar way: post-auth { ... if ("%{ldap:ldap://BASEDN?objectClass?one?(&(o=groupA-shellPriv15)(cn=%{User-Name})}") { update reply { #reply:ReplyAttribute += 'cisco-avpair = "shell:priv-lvl=15"' Reply-Message += "Bingo!!!" } } This worked in a setup without dynclients using the Reply-Message and raised an error while experimenting with the ReplyAttribute. Do someone have suggestions to realize such a setup? How much of this is possible to move to LDAP (and then eventually delegate to a web GUI)? Best regards, Giuseppe