For an 802.1x authentication radius first asks an ad server to get information about a specific machine account. If this account belongs to a certain group, the users file is consulted to check, which vlan the account gets assigned. In radiusd.conf I set the groupname_attribute in the the ldap section: groupname_attribute = "primaryGroupID" This works with a user file and entries like this without problems: DEFAULT Ldap-Group == "515", Auth-Type := Accept Framed-Type = Framed, Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = Core1 For some reason I want the operator here not to be ==, but >= and change the entry to: DEFAULT Ldap-Group >= "500", Auth-Type := Accept Framed-Type = Framed, Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = Core1, Fall-Through = no In this case I get: rlm_ldap::groupcmp: Group 500 not found ????or user not a member Further digging in radiusd -AX's output unveiles the reason: rlm_ldap: performing search in dc=MYDOM,dc=NET, with filter (&(primaryGroupID=500)(|(&(objectClass=GroupOfNames)(member=CN=MC The search here is done with "=": primaryGroupID=500 Is there any way to honor the operator >= in the users file in this case without modifying the source code? Thanks Norbert Wegener