Hi, We currently try the official freeradius 3.0 version for migration of the configs from FR2. In our FR 2.x setup, we use Ldap-Group checks during the authorization process. This is configured by unlang and a policy like: [policy.conf] checkusers { if (Ldap-Group == "GROUP1") { update reply { Tunnel-Type = 13 Tunnel-Medium-Type = 6 Tunnel-Private-Group-Id = 100 } ok } elsif (Ldap-Group == "GROUP2") { update reply { Tunnel-Type = 13 Tunnel-Medium-Type = 6 Tunnel-Private-Group-Id = 100 } ok } else { reject } } The checks are made in the default server: [sites-available/default] authorize { preprocess ldap checkusers mschap : } Each group check works, but produce all the time a log message: "Invalid operator for item Ldap-Group: reverting to '=='" In the debug, we got this: <DEBUG> : rlm_ldap (ldap): Released connection (4) (0) User is not a member of specified group Invalid operator for item Ldap-Group: reverting to '==' (0) ? if (Ldap-Group == "GROUP1") -> FALSE (0) ? elsif (Ldap-Group == "GROUP2") : </DEBUG> When we put the checkusers into the post-auth, the log message with invalid operator are gone. What is wrong here ? Why the message "Invalid operator for item Ldap-Group: reverting to '=='" pops up in authorize but not in post-auth process ? With regards, C.