Just a couple of suggestions (which I understand may have been discussed and dismissed before!): For the default mysql schema, have a UNIQUE constraint / key on username / attribute pairs in the applicable tables - most importantly for us this is radcheck. Have a key on username in radpostauth.