I have an environment where I am already using LDAP for AAA for a number of things. We have historically used the AuthorizedService attribute in LDAP to control the level of access available to the user. We would like to continue to do so. However, in order for that to work, I need to map AuthorizedService to different RADIUS attributes in the response depending on the authentication client. Ideally, I'd like to be able to map RADIUS clients into "groups" and have a mapping of AuthorizedService values for each group. The client groups would, ideally, be defined by matching the client IP address. An example of what I'd like that mapping to look like is below: Client Group AuthorizedService RADIUS Attribute in Reply ============== ====================== ======================= PIX Group 1 Pix1Auth1 cisco-avpair="shell:priv-lvl=1" PIX Group 1 Pix1Auth7 cisco-avpair="shell:priv-lvl=7" PIX Group 1 Pix1Auth15 cisco-avpair="shell:priv-lvl=15" PIX Group 2 Pix2auth1 cisco-avpair="shell:priv-lvl=1" ... Router Grp 1 Rtr1Auth1 cisco-avpair="shell:priv-lvl=1" ... LB Group 1 LBAdmin Service-Type="Authenticate-Only" ... etc. Is there any way to do this kind of dynamic mapping in FreeRadius? As near as I can tell, all I can do is statically map the contents of a particular LDAP attribute to a single RADIUS attribute. I'd also like to avoid mapping values of AuthorizedService which don't apply to the particular RADIUS client. I'm assuming I probably need to use something like rlm_perl to do this, and, I have no problem doing that, but, I have been unable to decipher the documentation to rlm_perl enough to have any confidence in creating a working solution. If anyone could provide a configuration example or a pointer to documentation that actually describes the various pieces of solving this problem, I'd be very grateful. Alan, your flames and RTFM comments are welcome, but, please understand, I've done my best to RTFM before posting this. Owen