Hi, I stumbled upon a possible issue with v3.0.12 when rejecting a previously accepted user in de post-auth section. Here's my linelog module instance and post-auth section configuration: linelog linelog_auth { filename = ${logdir}/radius.log reference = "%{reply:Packet-Type}" format = "" Access-Accept = "%t : Access-Accept: User-Name=%{User-Name}" Access-Reject = "%t : Access-Reject: User-Name=%{User-Name}" } post-auth { # ACCEPT { reject linelog_auth # } Post-Auth-Type REJECT { linelog_auth } } And here's the debugging output: (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known-good" SSHA-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /etc/raddb/server.conf (0) post-auth { (0) [reject] = reject (0) } # post-auth = reject (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/server.conf (0) Post-Auth-Type REJECT { (0) linelog_auth: EXPAND %{reply:Packet-Type} (0) linelog_auth: --> Access-Accept (0) linelog_auth: EXPAND %t : Access-Accept: User-Name=%{User-Name} (0) linelog_auth: --> Fri Nov 18 15:12:54 2016 : Access-Accept: User-Name=x (0) linelog_auth: EXPAND /var/log/radius/radius.log (0) linelog_auth: --> /var/log/radius/radius.log (0) [linelog_auth] = ok (0) } # Post-Auth-Type REJECT = ok (0) Sent Access-Reject Id 48 from x.x.x.x:1812 to x.x.x.x:1814 length 0 (0) Finished request So using the always reject module in post-auth works to get an Access-Reject at the end. But for some reason, it looks like the reply:Packet-Type is not changed to Access-Reject when entering the Post-Auth-Type REJECT section. Am I forgetting to set something in addition to just "reject" or should the reply:Packet-Type value have been updated when the linelog module is called ? My workaround would be to set reply:Packet-Type in the Post-Auth-Type REJECT section before calling the linelog module. Like so and then it works ok: post-auth { # ACCEPT { reject linelog_auth # } Post-Auth-Type REJECT { update reply { Packet-Type := Access-Reject } linelog_auth } } Would that be a good workaround or are there better workarounds ? -- Regards, Thor