I am using EAP-TLS and I am trying to use post-auth section to dynamically assign (based on the ldap group membership) vlan ID to the user. Leaving the LDAP part away for testing purposes and concentrating just on the post-auth section - I cannot make FR to override VLAN ID in post-auth section. Here is the config: post-auth { update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-Id := "36" } exec Post-Auth-Type REJECT { attr_filter.access_reject } } And nothing happens here: .... # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[reply] returns noop ++[exec] returns noop Sending Access-Challenge of id 127 to X.X.X.X port 32769 Tunnel-Private-Group-Id:0 = "36" Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN EAP-Message = 0x03040004 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd55884fdd75c9555353e80afe21cb577 Finished request 6. .... But it finally ends with this: ..... Sending Access-Accept of id 128 to X.X.X.X port 32769 Tunnel-Private-Group-Id:0 = "84" Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Cisco-AVPair += "XXX" EAP-Message = 0xXXXX Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "XXXX" Finished request 7. Hence, 3 questions: 1) Does FR v2.1.12 support post-auth section? 2) Can you explain the aim of "Sending Access-Challenge" ? 2) Where is the best place to authorize users in LDAP while using EAP-TLS? Is it post-auth? ps. it works fine while authorizing users based on LDAP in the authorize section but we prefer to postpone this task to post-auth. In that way we can achieve to goals: -use ldap group membership for vlan assignments and -significantly reduce LDAP load jinx