Generally, you can only do this is if the requests from those "certain APs" have something which distinguishes them. Then you can match on this in the users file [using 'DEFAULT'] and set Auth-Type to Reject.
If I have three access points I don't want users to access, can I do something like below? +-----+------------------+----------------+-------+-------+-----------+ | id | nasname | shortname | type | ports | secret | +-----+------------------+----------------+-------+-------+-----------+ | 136 | 172.18.100.8 | ap-2000-cd6 | other | NULL | letmelook | | 11 | 172.18.100.4 | ap2000-cd-2 | other | NULL | letmelook | | 10 | 172.18.100.5 | ap2000-cd-3 | other | NULL | letmelook | DEFAULT shortname == ap-2000-cd6, Auth-type := reject, Fall-Through = yes DEFAULT shortname == ap2000-cd-2, Auth-type := reject Fall-Through = yes DEFAULT shortname == ap2000-cd-3, Auth-type := reject Joe White ________________________________ System Administrator @ Arvato Digital Services @ 108 Monticello Rd, Weaverville, NC 28787 @ 828-423-0269