Hi, I'm using radius to control access to access points (several SSIDs) using both PEAP and EAP-TLS, control a vpn server and also 802.1x switch ports. I have one group defined per service (so one per wifi SSID, one for VPN, ...) that make sure that the correct returns attributes are in the response. What I'd like is that if either : - The user doesn't exist at all in the DB - Or the user exists but it didn't match any groups (because the user doesn't have access to the particular service he's trying to use). Then access should be denied. What's the recommended way to achieve that result ? All the ones I'm thinking of seem pretty messy so I must be missing something, and given it's pretty easy to omit something and open a big security hole, I'd rather have some expert opinion here. Cheers, Sylvain Munaut