I would like specific users to be authorized against specific NAS IP addresses (using FreeRADIUS 3.0.13). For example, user "user1" should only be authenticated it the NAS-IP-Address is one of a set of IP addresses. First, a new local attribute called "My-NAS-Group" was created in the /etc/raddb/dictionary file as a string. Next, the /etc/raddb/mods-available/passwd file, there is a pointer to the file 'test-groups.txt'. passwd poc_groups { filename = /etc/raddb/test-groups.txt format = "*NAS-IP-Address:~My-NAS-Group" hash_size = 300 ignore_nislike = no allow_multiple_keys = no } The test-groups.txt file contains a mapping of IP address to a group name. Based on the 'format' above, the idea is to assign the group name to the local attribute 'My-NAS-Group'. [root@server raddb]# more test-groups.txt 10.8.26.1:g1 10.8.151.137:g1 10.8.151.130:g2 Finally, I would like to use the 'My-NAS-Group' as a match criteria for the user authentication. For example, in the 'users' file: user1 Cleartext-Password := "hello", My-NAS-Group == "g1" Service-Type = Login-User In the /etc/raddb/sites-available/default file, the only change that has been made is to enable 'unix' authentication. This is for authenticating using the local linux server accounts, however this is separate from what I'm trying to do here. In other words, there is no local system account for user "user1". From the debug output there is no reference to "My-NAS-Group" and the authentication fails. The authentication works if the "My-NAS-Group" is removed. What additional configuration is needed in freeradius for the local attribute "My-NAS-Group" to be used as a match criteria in the 'users' file? Thanks A