Jeff & List, Thanks, this seems fairly simple so I gave a whirl.. For the last two hours or so :( No joy.. Of course, it's entirely possible I totally missed your point. Here is what I tried: I have a user called "user" who is assigned to the "dialusers-t" user group in the "radusergroup" table. I am using NTradPing from my laptop located at let's say 5.6.7.8 which correctly shows up in the debug as Client-IP-Address. Now I wanted to test to see if I could put a rule (based on what you showed me) into the radcheck table and get a reject in my test client based on the fact that the Client-IP-Address I am connecting from with my test client is not the one allowed in my radcheck table for the group the user belongs to. Here is the rule: ID: xxx GroupName: dialusers-t Attribute: Client-IP-Address OP: == Value: 5.6.7.21 So, I thought that this would not allow a user from a client ip unless it was 5.6.7.21. So I tried to auth from my test client located at an IP address OTHER than 5.6.7.21 and I still get an accept. I have played around with different operators and such but still no luck. Any ideas? Thanks! Regards, Todd R. -----Original Message----- From: freeradius-users-bounces+tjrlist=lightwavetech.com@lists.freeradius.org [mailto:freeradius-users-bounces+tjrlist=lightwavetech.com@lists.freeradius. org] On Behalf Of Jeff Crowe Sent: Friday, December 19, 2008 1:00 PM To: FreeRadius users mailing list Subject: RE: Restricting dialup users to certain client definitions only Hi Todd, I am using FR & MySQL and have the following in my radgroupcheck table to limit my dialup customers from connecting to my dsl aggregators. I have created different Groups (dialup & dsl for simplicity). In the dialup group I have rule that reads: ID: xxx GroupName: dialup Attribute: NAS-IP-Address OP: !~ Value: (xxx.xxx.xxx.4|xxx.xxx.xxx.2) This prevents any user in FR with a group of dialup from connecting to a NAS device with an IP of xxx.xxx.xxx.4 or .2 Hope this gives you an idea on where to limit your customers. Cheers, Jeff.