Hi, I installed freeradius 2 but my problem is still there. To remember it : I configured Freeradius to look in openldap directory to authenticate and authorize an user. The authentication phase is OK During the authorize phase, a ldap search is done : if the user is member of a group identified by the host ip he wants to connect, the user is authorized. The problem is here : freeradius receives an Access-Request packet with a NAS-IP-Address (the good one) and to search in the ldap, it doesn't send the ip received in the packet but another one ! Why this attribute is modified ? Is there any cache (the other ip comes from another equipment) ? To precize : I think there is some cache enabled anywhere (the ip used for ldap filter is always the one of the first request), is there any way to disable it ? Before testing, I created the group for IP1 and I added the test user to it. Test 1: - I ran radiusd -X - I try to connect with IP 1. => OK - I try to connect with IP 2 => OK (not right result because to check the membership it's the first IP which is used) Then, I kill radiusd. test 2 : - I ran radiusd -X - I try to connect with IP2 => KO (expected because the group for IP 2 doesn't exist) - I try to connect with IP1 => KO (not expected because the group for IP1 exists) To help, the logs : ------------------------------ rad_recv: Access-Request packet from host 126.50.0.148 port 1645, id=34, length=80 NAS-IP-Address = 126.50.0.148 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "testuser" Calling-Station-Id = "126.100.100.6" User-Password = "XXXXX" +- entering group authorize {...} ++[preprocess] returns ok rlm_ldap: Entering ldap_groupcmp() [files] expand: dc=example,dc=com -> dc=example,dc=com [files] expand: (uid=%{User-Name}) -> (uid=testuser) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=example,dc=com, with filter (uid=testuser) rlm_ldap: ldap_search() failed: LDAP connection lost. rlm_ldap: Attempting reconnect rlm_ldap: attempting LDAP reconnection rlm_ldap: closing existing LDAP connection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: starting TLS rlm_ldap: bind as ou=radius,ou=applications,dc=example,dc=com/XXXXX to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=example,dc=com, with filter (uid=testuser) rlm_ldap: ldap_release_conn: Release Id: 0 [files] expand: (&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:LDAP-UserDn})) -> (&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=example,dc=com, with filter (&(cn=126.50.0.147)(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dtestuser\2cuid\3dtest01\2cou\3dusers\2cdc\3dexample\2cdc\3dcom))) rlm_ldap::ldap_groupcmp: User found in group 126.50.0.147 rlm_ldap: ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok [ldap] performing user authorization for testuser [ldap] expand: (uid=%{User-Name}) -> (uid=testuser) [ldap] expand: dc=example,dc=com -> dc=example,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=example,dc=com, with filter (uid=testuser) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok Found Auth-Type = LDAP +- entering group LDAP {...} [ldap] login attempt by "testuser" with password "azerty12" [ldap] user DN: uid=testuser,uid=test01,ou=users,dc=example,dc=com rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: starting TLS rlm_ldap: bind as uid=testuser,uid=test01,ou=users,dc=example,dc=com/azerty12 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful [ldap] user testuser authenticated succesfully ++[ldap] returns ok Login OK: [testuser] (from client petitnom port 1 cli 126.100.100.6) Sending Access-Accept of id 34 to 126.50.0.148 port 1645 Nokia-IPSO-User-Role = "adminRole" Nokia-IPSO-SuperUser-Access = 1 Service-Type = Login-User Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 34 with timestamp +52 Ready to process requests. ------------------------------ -- KeV