Hi, I'm trying to allow non MFA logins from configuration revisioning systems where the target device doesn't support SSH key based authentication. I started constructing an unlang check using '<ipv4prefix>' and hit some quirks. Most of our devices include the calling station's source IP in their request, whilst a few send the reverse DNS lookup strings. How do I test if a variable matches the structure of an IPv4 IP? My problem appears to be that '<ipv4prefix>&String < 41.0.0.0/29' returns true, for example: (0) Calling-Station-Id = "oxidized.syrex.co.za" (0) if (&Client-Shortname == "core_routers") && !(&User-Name == "revisioncfg" && &Calling-Station-Id && <ipv4prefix>&Calling-Station-Id < 41.0.0.0/29) { (0) EXPAND &Client-Shortname (0) --> core_routers (0) if (&Client-Shortname == "core_routers") && !(&User-Name == "revisioncfg" && &Calling-Station-Id && <ipv4prefix>&Calling-Station-Id < 41.0.0.0/29) -> FALSE (1) Calling-Station-Id = "196.196.196.196" (1) if (&Client-Shortname == "core_routers") && !(&User-Name == "revisioncfg" && &Calling-Station-Id && <ipv4prefix>&Calling-Station-Id < 41.0.0.0/29) { (1) EXPAND &Client-Shortname (1) --> core_routers (1) if (&Client-Shortname == "core_routers") && !(&User-Name == "revisioncfg" && &Calling-Station-Id && <ipv4prefix>&Calling-Station-Id < 41.0.0.0/29) -> TRUE I had hoped to have been able to do the following, but the behaviour above makes me believe I have to test them separately: if (&Client-Shortname == "core_routers") && !(&User-Name == "revisioncfg" && &Calling-Station-Id && (&Calling-Station-Id =="oxidized.syrex.co.za" || <ipv4prefix>&Calling-Station-Id < 41.0.0.0/29)) Regards David Herselman