I recently configured a radius server with openldap backend to handle central auth for all my network equipment. The ldap module is using "radiusGroupName" as my groupmembership_attribute. I've configured post-auth and the users file in such a way that I can log into devices with my ldap credentials ONLY if I am a member of one of 2 groups. My reply-item attributes are stored in ldap within the group, and all that is working great. Valid users who are not members of these defined groups get rejected. perfect. Now the tricky part. I have a third ldap group that i want to use in order to assign vpn access to people. so some users may be members of only the vpn group, and some maybe members of the superadmin group as well as the vpn group. This causes two problems. 1) If I add allow the vpn group, then vpn users will be able to login to network equipment which is definitely not desired. 2) I don't currently have any way to determine within radius if a user is trying to login to the vpn, or if they are trying to ssh to my firewall. I'm not really sure what I should do to work around this. My only idea I've come up with (which I don't like), is to have my firewall set a different NAS-ip for the vpn users. If that is different, then I imagine I can probably write some login in post-auth to handle it. Is there a better way to do this. The radius configuration on my firewall will let me set the nas-ip, auth-type, which source ip to communicate with, and which destination port the radius server is listening on. I've not yet looked into how the virtual servers work in radius, so maybe I can setup a different port and config for my vpn users to auth against.. Using FreeRadius 2.1.12.