Hi, I have a Freeradius Server in front of a FreeIPA backend configured to do LDAP Authentication via group. This works fine. I can login to my cisco switch as an ordinary user (who belongs to an ldap group cisco_admins) in user exec mode. Users in this group are assigned privilege level 15. /etc/raddb/users DEFAULT Ldap-Group == "cn=cisco_admins,cn=groups,cn=accounts,dc=mydomain,dc=com" Reply-Message="You have been authenticated", Auth-Type := System, Service-Type = "NAS-Prompt-User", Cisco-AVPair = "shell:priv-lvl=15", Fall-Through = No I figured out that I'd need to rewrite $enab15$ to have enable passwords authenticated via ldap also. This is working fine too. /etc/raddb/modules/attr_rewrite # Rewrite Usernames for enable mode on Cisco attr_rewrite rewriteenablemodeuser { attribute = User-Name searchin = packet searchfor = ".enab15." replacewith = "admin" append = no However this means that, for this configuration, I need to use the "admin" user password in ldap to enter enable mode. While I can authenticate as admin to access enable mode I was hoping for a way to be able to authenticate via an ordinary user for enable mode. i.e. normal user uses the same password for user mode and enable mode. Is there a way that the attr_rewrite can be something like... Repalcewith = "current_id_of_user" Or is there another way? Thanks, Les