hi, I think I must thanks for FR project @Alan DeKok and @others.it is a great and prefect job. I hava two ssid,SSID-TMP for temporary user and the SSID-EMP for employee-user,they both use the realm_sql for auth. the data in radcheck as follows: current,in raddb/sq/mysql/dialup.conf, authorize_check_query = "SELECT id, username, attribute, value, op FROM ${authcheck_table} WHERE username = '%{SQL-User-Name}' ORDER BY id" so when a temporary user tmp_user connect SSID-EMP(for employee),he also get the correct password for connecting the SSID-EMP.that should be disabled. the problem is:how can I map the user to the correct record? I have extented radcheck tables with field user_ssid,so the records like: and change the authorize_check_query statement to: "SELECT id, username, attribute, value, op FROM ${authcheck_table} WHERE username = '%{SQL-User-Name}' and ssid='%{Aruba_Essid_Name}' ORDER BY id" but I donot get the correct sql statement: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'emp' and ssid='' ORDER BY id another approach: I define another virtual server,but they use the same sql realm,and use the same sql_query statement, How can I achieve the resule what I want? I am confused about this,thanks for any suggestion or advise, apologize for my english, gh.li tel:+8613910260406 email:gh.li@microshield.com.cn