Hi, I'm using FreeRADIUS Version 3.0.12. I'm doing EAP-TTLS/PAP and I have the following policy in the authorize section of the inner tunnel virtual server (same behaviour when it's in post-auth): w2vgroupcheck { if("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) { if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) { if (LDAP-Group == "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}") { update reply { Tunnel-Private-Group-Id := "%{sql:SELECT vlan_id FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 } } else { reject } } } } Which results in: (8) policy w2vgroupcheck { (8) if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) { (8) EXPAND %{Stripped-User-Domain} (8) --> vlan-1.w2v.kit.edu (8) if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) -> TRUE (8) if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) { (8) if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) { rlm_sql (sql): Reserved connection (0) (8) Executing select query: SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('vlan-1.w2v.kit.edu', '\.w2v\.kit\.edu$', '') rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 rlm_sql (sql): Released connection (0) (8) EXPAND %{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')} (8) --> 1 (8) if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) -> TRUE (8) if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) { (8) if (LDAP-Group == "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}") { rlm_sql (sql): Reserved connection (1) (8) Executing select query: SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('vlan-1.w2v.kit.edu', '\.w2v\.kit\.edu$', '') rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 rlm_sql (sql): Released connection (1) (8) EXPAND %{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')} (8) --> KIT-Group-1 (8) if (LDAP-Group == "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}") -> FALSE (8) else { (8) [reject] = reject (8) } # else = reject (8) } # if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) = reject (8) } # if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) = reject (8) } # policy w2vgroupcheck = reject I don't understand it because the SQL expansion works but then there is no try to do the LDAP group check. It just says FALSE and rejects. When I replace (LDAP-Group == "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}") with (LDAP-Group == "KIT-Group-1") it works: (8) policy w2vgroupcheck { [50/1950] (8) if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) { (8) EXPAND %{Stripped-User-Domain} (8) --> vlan-1.w2v.kit.edu (8) if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) -> TRUE (8) if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) { (8) if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) { rlm_sql (sql): Reserved connection (0) (8) Executing select query: SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('vlan-1.w2v.kit.edu', '\.w2v\.kit\.edu$', '') rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 rlm_sql (sql): Released connection (0) (8) EXPAND %{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')} (8) --> 1 (8) if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) -> TRUE (8) if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) { (8) if (LDAP-Group == "KIT-Group-1") { (8) Searching for user in group "KIT-Group-1" rlm_ldap (ldap): Reserved connection (1) (8) Using user DN from request "uid=abc123,ou=People,ou=unix,ou=IDM,dc=kit,dc=edu" (8) Checking for user in group objects (8) EXPAND (&(cn=KIT-Group-1)(objectClass=posixGroup)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})) (8) --> (&(cn=KIT-Group-1)(objectClass=posixGroup)(memberUid=abc123)) (8) Performing search in "ou=unix,ou=IDM,dc=kit,dc=edu" with filter "(&(cn=KIT-Group-1)(objectClass=posixGroup)(memberUid=abc123))", scope "sub" (8) Waiting for search result... (8) User found in group object "ou=unix,ou=IDM,dc=kit,dc=edu" rlm_ldap (ldap): Released connection (1) (8) if (LDAP-Group == "KIT-Group-1") -> TRUE (8) if (LDAP-Group == "KIT-Group-1") { (8) update reply { rlm_sql (sql): Reserved connection (1) (8) Executing select query: SELECT vlan_id FROM w2v WHERE vlan_name=regexp_replace('vlan-1.w2v.kit.edu', '\.w2v\.kit\.edu$', '') rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 rlm_sql (sql): Released connection (1) (8) EXPAND %{sql:SELECT vlan_id FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')} (8) --> 22 (8) Tunnel-Private-Group-Id := 22 (8) Tunnel-Type := VLAN (8) Tunnel-Medium-Type := IEEE-802 (8) } # update reply = noop (8) } # if (LDAP-Group == "KIT-Group-1") = noop (8) ... skipping else: Preceding "if" was taken (8) } # if ("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) = noop (8) } # if ("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) = noop (8) } # policy w2vgroupcheck = noop Thanks in advance Klara