I have updated a Freeradius 2.x system to a fresh 3.0.16 build (new hardware/os from the ground up) We make use of huntgroups and DEFAULT entries in the files to set L2TP tunnel forwarding when required or sql to apply a full user profile else. On 3.0.16 I am seeing that a request that matches a DEFAULT entry within files (which accepts with assorted tunnel attributes) is also then using the sql module and merging the attributes rather than not processing the SQL if the files section matches. Have I missed a change in behaviour between 2.x and 3.0.x ? In the debug I can see the match in users.then it also calls sql. Wed Aug 22 23:22:30 2018 : Debug: (1) files: users: Matched entry DEFAULT at line 1366 Wed Aug 22 23:22:30 2018 : Debug: (1) modsingle[authorize]: returned from files (rlm_files) Wed Aug 22 23:22:30 2018 : Debug: (1) [files] = ok Wed Aug 22 23:22:30 2018 : Debug: (1) modsingle[authorize]: calling sql (rlm_sql) The matching users section is. DEFAULT Huntgroup-Name == "xxxxx", User-Name =~ "xxxxxxxx", Auth-Type := Accept Service-Type = Outbound-User, Tunnel-Type = L2TP, Tunnel-Medium-Type = IP, Tunnel-Server-Endpoint:1 = xxxxxxxxx Tunnel-Password:1 = xxxxxxxxxx, Tunnel-Assignment-Id:1 = xxxxxxxxxx, Tunnel-Preference:1 = 1, Tunnel-Server-Endpoint:2 +=xxxxxxxxxxxx, Tunnel-Password:2 += xxxxxxxxxxxx, Tunnel-Assignment-Id:2 += xxxxxxxxxxxxx, Tunnel-Preference:2 += 1