Hello,

sorry Alan, I give you the informations that you want.

i created one table in my radius database. if the reply on radpostauth is like Access-Accept.
the table store the username and the authdate.

I added a trigger which it run each time, when a username tries to log on.

the trigger makes a diff between the authdate.rapostauth and the authdate.newtable of the user.

if the date is up to 20 days, the trigger add/modify the groupname.radusergroup of the user.
at he result the radgroupreply should be different.

but in my case, it's different, the add/update works very well, but this are the last parameters before the modification of the radusergroup table which are sent

radgroupreply table,
| id | groupname           | attribute               | op | value                                                                                                                         |
|  1 | safe      | Tunnel-type             | =  | 13                                                                                                                            |
|  2 |safe       | Tunnel-Medium-Type      | =  | 6                                                                                                                             |
|  3 | safe      | Tunnel-Private-Group-ID | =  | 7                                                                                                                           |                                      
|  5 | no-safe | Tunnel-type             | =  | 13                                                                                                                            |
|  6 | no-safe | Tunnel-Medium-Type      | =  | 6                                                                                                                             |
|  7 | no-safe | Tunnel-Private-Group-ID | =  | 8  

before
radusergroup;
username :toto | groupname: safe | priority: 1

last Access-Accept > 20 days
radusergroup;
username :toto | groupname: no-safe | priority: 1

radgroupreply safe instead of no-safe.

i hope that i answer at yours last questions