I have an issue with recursive string expansion -- that is, it is recursing in a situation where I'd rather it didn't. Specifically, with freeradius 3.0.13, in policy.d/moonshot_targeted_ids, if I set targeted_id_salt = '${changeme' then I get the error: Fri May 26 20:23:37 2017 : Error: /etc/freeradius/policy.d/moonshot-targeted-ids[40]: Reference "${changeme%{tolower}" not found Fri May 26 20:23:37 2017 : Error: Failed expanding section name Fri May 26 20:23:37 2017 : Error: /etc/freeradius/policy.d/moonshot-targeted-ids[41]: Failed allocating memory for section Fri May 26 20:23:37 2017 : Error: Errors reading or parsing /etc/freeradius/radiusd.conf This seems to be a reference to these two lines (starting at line 40) : if (&outer.request:GSS-Acceptor-Host-Name) { if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_host_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:GSS-Acceptor-Host-Name}}}" =~ /^([^ ]+)([ ]*)$/) { So it definitely looks like ${policy.targeted_id_salt} is expanded once, and then something attempts to expand the expanded string, which fails because '${changeme' is invalid xlat syntax. I haven't found any user documentation indicating whether string expansion is recursive. I did find an older post by Arran where he says that "rlm_sql does recursive xlat" (see (http://lists.freeradius.org/pipermail/freeradius-users/2009-April/037249.htm...). This makes me wonder whether this behavior is decided upon by the module's implementer. If there is a way to prevent this behavior (i.e., force a string to be expanded non-recursively), I'd love to hear about it. I'd be happy to file a bug (or feature request) if that would be appropriate. Thanks, Dan Breslau