I was thinking this should be easy, but it's been two weeks and I give up... This is what I want to do: My NAS, (a WiFi AP), has two SSIDs: "staff" and "guests". I want mutual exclusivity. My /etc/raddb/users file contains something like this: abc Cleartext-Password:="xyz" Local-Group="staff" I've created an attribute in my /etc/raddb/dictionary file: ATTRIBUTE Local-Group 3000 string In my /etc/raddb/sites-enabled/default file, in the authorize section, I've got this: if ( Local-Group != NAS-Identifier ) { update reply { Reply-Message := "You may not connect to %{NAS-Identifier} AP.\r\n" } reject } My access request looks something like this: (edited for brevity.) User-Name = "abc" NAS-IP-Address = 192.168.8.253 NAS-Port = 0 NAS-Identifier = "guests" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "..." Called-Station-Id = "..." Service-Type = Login-User Framed-MTU = 1100 EAP-Message =... State = ... Aruba-Essid-Name = "test" Aruba-Location-Id = "wifi" Aruba-AP-Group = "Our WiFi" Running radiusd -X I get: : ++? if (Local-Group != NAS-Identifier ) (Attribute Local-Group was not found) ? Evaluating (Local-Group != NAS-Identifier ) -> FALSE ++? if (Local-Group != NAS-Identifier ) -> FALSE : And it's clear Local-Group is always empty. :-( Some things I've tried: -Moved code to post-auth section instead of authorize. -Different attributes instead of private dictionary. (i.e. Group-Name) -Running an executable, (actually works, but selinux appears to be a problem?) -Changing the test from != to == makes things work as expected, so if the comparison will actually work, I'm good. I'm clearly not understanding something.... -Joseph