Hi, In the authorize section, I check the username and password and print the relevant Reply-Message as in the followings. I works. authorize { .. sql{ notfound = 1 reject = 2 } if(notfound){ update reply { Reply-Message := "Please check your Username" } reject } if(reject){ update reply { Reply-Message := "%{reply:Reply-Message} Wrong Password" } reject } .. } Then, for those who reject, I check the NAS-Identifier in the "Post-Auth-Type REJECT" section. If the NAS-Identifier is incompatible according to the racheck table, I print a "wrong NAS" message. Ok so far. However, if the NAS-Identifier is not in the radcheck table, the NAS-Identifier should not check, if the password is incorrect, I want a "wrong password" error. I couldn't do this. Post-Auth-Type REJECT { .... if (&NAS-Identifier != "%{sql:SELECT value FROM radcheck WHERE Username = '%{User-Name}' and attribute='NAS-Identifier'}") { update reply { Reply-Message = "%{Reply-Message} Wrong NAS, NAS:%{NAS-Identifier}" } } update reply { Reply-Message = "%{reply:Reply-Message} Wrong Password." # Reply-Message := "Wrong Password.." } .. } Could you please help me how to fix it. Regards