We have a large number of users in an ldap database and we have successfully connected freeradius with it. We have also been able to connect a specific client ip address to a specific LDAP group to allow or disallow access to a specific device based on group membership. What we have found is that in the case of PIX it tends to be all or nothing. If one can authenticate thru the firewall for vpn purposes, they can also authenticate by ssh for admin purposes. Is it possible to configure a cisco Pix with separate radius definitions and auth against Freeradius using separate secrets so you can separate to specific groups? We've attempted it and it seems to find the first client on the list and ignores the second. Any Ideas? The PIX unfortunalty does not give any indication of type of connection thru NAS-Port (on pix this is just a session number). Only hope of separation it appears is thru calling-station-id, but that appears to be a real messy way. Below is a sample of what we've be attempting to do. Thanks for any assistance! Cisco Pix 6.3 Firewall ------------------ Pertinent pix configuration items ------------------ aaa-server RADIUS protocol radius aaa-server RADIUS (inside) host 192.168.1.10 secret1 timeout 10 aaa-server RADIUSVPN protocol radius aaa-server RADIUSVPN (inside) host 192.168.1.10 secret2 timeout 10 aaa authentication ssh console RADIUS LOCAL crypto map outside_map client authentication RADIUSVPN ------------------ clients.conf ------------------ client 192.168.1.20 { secret = secret1 shortname = pixssh nastype = Cisco } client 192.168.1.20 { secret = secret2 shortname = pixvpn nastype = Cisco }