I want to use freeradius to authenticate different groups of users (from LDAP) to sets of network devices, potentially with different access levels, but have a bit hard time understanding how this is supposed to be configured. Would be nice with some advice.. What I have so far is: # Give ldap group "firewall" super-user privilege on juniper firewalls: DEFAULT Ldap-Group == "cn=firewall,cn=groups,cn=accounts,dc=example,dc=com" Auth-Type := LDAP Juniper-Local-User-Name := "super-users", # Give ldap group "netadmin" "enable" access on cisco routers: DEFAULT Ldap-Group == "cn=netadmin,cn=groups,cn=accounts,dc=example,dc=com" Auth-Type := LDAP cisco-avpair = "shell:priv-lvl=15" But this doesn't work for users that are member of both groups, so I need to say that the first rule is limited to a set of juniper devices, and the second is limited to a set of cisco devices. What's the strategy we should use for expressing this? Is it possible without having to specify one rule for each NAS-IP-Address? I.e. being able to do some kind og grouping of clients to match on would be very helpful.. -jf