sorry Alan, I give you the informations that you want.
i created one table in my radius database. if the reply on radpostauth is like Access-Accept.
the table store the username and the authdate.
I added a trigger which it run each time, when a username tries to log on.
the trigger makes a diff between the authdate.rapostauth and the authdate.newtable of the user.
if the date is up to 20 days, the trigger add/modify the groupname.radusergroup of the user.
at he result the radgroupreply should be different.
but in my case, it's different, the add/update works very well, but this are the last parameters before the modification of the radusergroup table which are sent
radgroupreply table,
| id | groupname | attribute | op | value |
| 1 | safe | Tunnel-type | = | 13 |
| 2 |safe | Tunnel-Medium-Type | = | 6 |
| 3 | safe | Tunnel-Private-Group-ID | = | 7 |
| 5 | no-safe | Tunnel-type | = | 13 |
| 6 | no-safe | Tunnel-Medium-Type | = | 6 |
| 7 | no-safe | Tunnel-Private-Group-ID | = | 8
before
radusergroup;
username :toto | groupname: safe | priority: 1
last Access-Accept > 20 days
radusergroup;
username :toto | groupname: no-safe | priority: 1
radgroupreply safe instead of no-safe.
i hope that i answer at yours last questions