I use FreeRADIUS 3.0.17 to provide services on a site. Ever since I stepped into the world of RADIUS, I have been dealing with the issue of "anonymous" users. I have been abusing the *Class* attribute work around the problem, but after some deliberation, I've decided that it would be best if I could reject anonymous users right away. I already have a MySQL stored procedure named "is_login_allowed" that checks if a user is in a locked state or not and I use it like this in the *authorize* section of the *default*, *inner-tunnel-ttls*, *inner-tunnel-peap* sites: authorize{ if ("%{sql: CALL is_login_allowed('%{User-Name}')}" == "0" ) { reject } } Currently, this store procedure can check if a user with a given name exists in the database, and if not, return *0* to make FreeRADIUS to reject access to that user. What I'd like to know though is that if there is a better, more elegant FreeRADIUSy way of achieving the same goal. For example, would something like below work? authorize{ if("%{outer.request.UserName}" != "%{inner.request.UserName}"){ reject } } --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus