Is it possible to authenticate or deny a request based on the radgroupcheck and radusergroup being 'satisfied'? Basically I want to make sure that all 3 of the following are satisfied: 1) the user is in a proper group (radusergroup) 2) the request is coming from a valid IP (radgroupcheck using NAS-IP-Address) 3) the user/password is valid of course (radcheck) The issue I have is a user can supply a valid user/password combination, but not have the required group membership in radusergroup, but still be pass authentication which only looks at radcheck (user/password) and nothing else. My desire is to be able to isolate different environments by group and NAS-IP-Address. There may be a much more elegant way of getting this done, which I'm open to as well.