Hi I have a RADIUS setup (eduroam) where the users are authenticated against LDAP (mod_ldap, not ntlm_auth) for our own domain. All other users are proxied to a RadSec proxy. This works fine, but now we need the possibility to replace the Aruba-User-VLAN VAP with a different VLAN ID, if some users from our domain can be found in a special LDAP group (i.e. cn=testgroup). If not, the users should get assigned the Aruba-User-VLAN VAP 31. What do i have to change in my setup in order to make this work? In my /etc/raddb/sites-enabled/testsite i have: ... post-auth { #reply_log #redundant_ldap #exec Post-Auth-Type REJECT { attr_filter.access_reject } ### enable debug logging from here on #update control { # Tmp-String-0 = "%{debug:2}" #} if (Realm == "testdomain.de") { update reply { Aruba-User-Vlan = "31" } } } Best, Thomas ... -- Thomas Stather IT Services Tel: +49 6221-486 628 Fax: +49 6221-486 561 ------------------------------------------------------------------------ Max Planck Institute for Medical Research (MPImF) Jahnstrasse 29, 69120 Heidelberg Germany