Hello, sorry Alan, I give you the informations that you want. i created one table in my radius database. if the reply on radpostauth is like Access-Accept. the table store the username and the authdate. I added a trigger which it run each time, when a username tries to log on. the trigger makes a diff between the authdate.rapostauth and the authdate.newtable of the user. if the date is up to 20 days, the trigger add/modify the groupname.radusergroup of the user. at he result the radgroupreply should be different. but in my case, it's different, the add/update works very well, but this are the last parameters before the modification of the radusergroup table which are sent radgroupreply table, | id | groupname | attribute | op | value | | 1 | safe | Tunnel-type | = | 13 | | 2 |safe | Tunnel-Medium-Type | = | 6 | | 3 | safe | Tunnel-Private-Group-ID | = | 7 | | 5 | no-safe | Tunnel-type | = | 13 | | 6 | no-safe | Tunnel-Medium-Type | = | 6 | | 7 | no-safe | Tunnel-Private-Group-ID | = | 8 before radusergroup; username :toto | groupname: safe | priority: 1 last Access-Accept > 20 days radusergroup; username :toto | groupname: no-safe | priority: 1 radgroupreply safe instead of no-safe. i hope that i answer at yours last questions