Guys, Let me explain my problem briefly. I want different group user get different ip pool. Here is the settings: *===users* DEFAULT Pool-Name := "tc_pool" Fall-Through = Yes *===sites-enabled/default* post_auth...... if (SQL-Group == "restricted") { tc_pool } else { main_pool } *===modules/ippool* ippool main_pool { range-start = 172.16.10.1 range-stop = 172.16.10.254 netmask = 255.255.255.0 cache-size = 254 session-db = ${raddbdir}/db.ipmainpool ip-index = ${raddbdir}/db.ipmainindex override = no maximum-timeout = 0 } ippool tc_pool { range-start = 172.26.11.1 range-stop = 172.26.11.254 netmask = 255.255.255.0 cache-size = 254 session-db = ${raddbdir}/db.ipsecondary26pool ip-index = ${raddbdir}/db.ipsecondary26index override = no maximum-timeout = 0 } *Test result, if use a user in restricted group. There will be a Frame_IP_address in access_accept.* *But if a user not in this group, the radius log is:* ? Evaluating (SQL-Group == "restricted") -> FALSE ++? if (SQL-Group == "restricted") -> FALSE ++else else { +++[main_pool] = noop ++} # else else = noop ...... Sending Access-Accept of id 140 to 127.0.0.1 port 60577 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0xb4c7f85ed7a94628e635e6b7d933c39a MS-MPPE-Recv-Key = 0x024db770d98a83bdf54a7512e8f4a4ad EAP-Message = 0x03020004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "3dd5ac675d704831a89e2475f97f575f" Finished request 2. -- Best Regards, Yanrui Hu -- *This email may contain or reference confidential information and is intended only for the individual to whom it is addressed. Please refrain from distributing, disclosing or copying this email and the information contained within unless you are the intended recipient. If you received this email in error, please notify us at legal@appannie.com <legal@appannie.com>** immediately and remove it from your system.*