Hi, I have freeradius 2.1.12 of rhel6 which uses freeipa as an ldap backend. All is working fine. The config I have setup is as follows: Ldap group sys_admins = contains users who get privileges to authenticate and login radius based devices (cisco routers/switches, ucs, f5, brocade). Radius config for ldap module checks group sys_admins for membership. (/etc/raddb/modules/ldap) groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{check:Ldap-UserDn})))" groupmembership_attribute = sys_admins In /etc/raddb/users I have... DEFAULT Ldap-Group == "cn=sys_admins,cn=groups,cn=accounts,dc=mydomain,dc=com" Auth-Type :=Accept, Service-Type = "NAS-Prompt-User", Cisco-AVPair = "shell:roles*\"admin network-admin vdc-admin\"", Cisco-AVPair += "shell:priv-lvl=15", Fall-Through = No, F5-LTM-User-Role = 0, F5-LTM-User-Info-1 = administrator, F5-LTM-User-Partition = common, F5-LTM-User-Shell = tmsh, Brocade-Auth-Role+= "admin", Brocade-AVPairs1+= "HomeLF=0", Brocade-AVPairs2+= "LFRoleList=admin:0-255", Brocade-AVPairs3+= "ChassisRole=admin" DEFAULT Auth-Type := Reject Reply-Message="You do not have permission to access this device.", Fall-Through = Yes This is all working fine. My problem is that I need to have a user setup in ldap for monitoring purposes (using icinga), which should be a read only based user for the ucs and not have access to the brocade, f5 or other cisco devices. I've tried a lot of different configs and nothing has worked. Adding a specific user definition to /etc/raddb/users with appropriate privilege levels doesn't help as it seems to still require that the user belong to the ldap group sys_admins, which means they get access to all devices. Does anyone know of a way to have multiple user definitions in /etc/raddb/users with ldap backends with differing privilege levels? Could the ldap module be duplicated like the files module which allows a second users file? Is it even possible? Any alternatives? Thanks, Les