Dear freeradius-users, I'm trying to configure different access to users based on group membership. What I would like to achieve is that userA is allowed only through NAS-Port1, UserB through NAS-Port2 and userALL through both. It seems to work OK as long as each user is only in one group. If I put one user in two groups he is not able to login. My configuration is as follows: FreeRADIUS Version 2.1.7 passwd usergroups { filename = /etc/raddb/usergroups format = "~ML-Group:*,User-Name" hashsize = 0 ignorenislike = yes } usergroup is called before files in authorize section file usergroups: siteA:userA,userAll siteB:userB,userAll file users: DEFAULT NAS-Port==1,ML-Group!="siteA",Auth-type:=Reject DEFAULT NAS-Port==2,ML-Group!="siteB",Auth-type:=Reject userA Cleartext-password := "qaz123" NS-Admin-Privilege := Read-Only-Admin userB Cleartext-password := "qaz123" NS-Admin-Privilege := Read-Only-Admin userAll Cleartext-password := "qaz123" NS-Admin-Privilege := Root-Admin DEFAULT Auth-type:= Reject fragment of debug log for user userALL: [usergroups] Added ML-Group: 'siteA' to request_items [usergroups] Added ML-Group: 'siteB' to request_items ++[usergroups] returns ok [files] users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = Reject Auth-Type = Reject, rejecting user Failed to authenticate the user. Login incorrect: [userAll] (from client localhost port 1) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> userAll attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated best regards rafal weglarz