ooops, typed enter on wrong focus... something like: (this is just speculative, written roughly down, untested.... if (&client:netdevice = yes && LDAP-Group != networkmgmt) { update control { Auth-Type := Reject } }