I've a FR and LDAP server configured that seems to be performing nicely except for one small issue where an 'Auth-Type := Reject' in my users file seems to have little affect. In brief, I want users not caught by the following users file: *** START *** DEFAULT Ldap-Group == "disabled", Auth-Type := Reject Reply-Message = "Your account has been disabled.", Fall-Through = No DEFAULT Ldap-Group == vpn, Service-Type == Framed-User, Framed-Protocol = PPP, NAS-Port-Type = Virtual, NAS-IP-Address = 192.168.9.41 Service-Type == Framed-User, Framed-Protocol = PPP, NAS-Port-Type = Virtual, NAS-IP-Address = 192.168.9.41, Framed-MTU = 1453, Fall-Through = No DEFAULT Ldap-Group == eng Fall-Through = No DEFAULT Auth-Type := Reject Reply-Message = "You are not permitted to access this device.", Fall-Through = No *** END *** ...but I'm finding that after processing the users file, my system continues to mschap section and makes a match there, as shown by this debug output: *** START *** rad_recv: Access-Request packet from host 192.168.9.41:1026, id=133, length=178 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 105 NAS-Port-Type = Virtual User-Name = "someuser" Calling-Station-Id = "192.168.9.168" Called-Station-Id = "192.168.9.129" MS-CHAP-Challenge = 0x607a4a1f3f48e0381d09e53ee7ef6e03 MS-CHAP2-Response = 0x01005c3c70b1b3a11f639e4e5f2bf0f6bd470000000000000000eb8ff1d6edf5e9776a113fa99055f11c98fc14c00862a039 NAS-Identifier = "MTFWB1" NAS-IP-Address = 192.168.9.41 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'dc=example,dc=com' radius_xlat: '(uid=someuser)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=example,dc=com/alphacubed to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example,dc=com, with filter (uid=someuser) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(&(uid=someuser)(objectclass=radiusprofile))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=example,dc=com, with filter (&(radiusGroupName=vpn)(&(uid=someuser)(objectclass=radiusprofile))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=someuser,ou=Users,dc=example,dc=com, with filter (objectclass=*) rlm_ldap::groupcmp: Group vpn not found ????or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'dc=example,dc=com' radius_xlat: '(&(uid=someuser)(objectclass=radiusprofile))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=example,dc=com, with filter (&(radiusGroupName=eng)(&(uid=someuser)(objectclass=radiusprofile))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=someuser,ou=Users,dc=example,dc=com, with filter (objectclass=*) rlm_ldap::groupcmp: Group eng not found ????or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 20 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP' modcall[authorize]: module "mschap" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for someuser radius_xlat: '(uid=someuser)' radius_xlat: 'dc=example,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=example,dc=com, with filter (uid=someuser) rlm_ldap: Added password somepassword in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user someuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: Told to do MS-CHAPv2 for someuser with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 0 modcall: leaving group MS-CHAP (returns ok) for request 0 radius_xlat: 'You are not permitted to access this device.' Login OK: [someuser/<no User-Password attribute>] (from client MTFWB1 port 105 cli 192.168.9.168) Sending Access-Accept of id 133 to 192.168.9.41 port 1026 Reply-Message = "You are not permitted to access this device." MS-CHAP2-Success = 0x01533d46433044334636383834393332343331323831464645453543413830433631304144374134383143 MS-MPPE-Recv-Key = 0x74266040b72c4528a1cb85a696516b97 MS-MPPE-Send-Key = 0x782ad9e71513837630833dcc9845612c MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 Finished request 0 Going to the next request *** END *** How can I stop processing after the reject message in the users file?? Many thanks. Iain.