>the idea is to authenticate users with LDAP, but once authenticated >check your Calling-Station-Id, and depends on the mac is due to a >specified VLAN >- Why don't you do this in authorize section where this is normally done? Why do you want to do it in post-auth? You don't need policy.conf; unlang will do fine. Ivan Kalik Kalik Informatika ISP