Try this.
huntgroups > diegem NAS-IP-Address == 10.5.x.x > diegem NAS-IP-Address == 10.5.x.x > diegem NAS-IP-Address == 10.5.x.x > brussels NAS-IP-Address == 10.2.x.x users file #note: there is no default auth-type = system here DEFAULT Group == NOC, Auth-Type := System replyattrs = replyvalues bob Huntgroup-Name == diegem, Auth-Type := System replyattrs = replyvalues... somebrusselluser Huntgroup-Name == brussells, Auth-Type := System reply attrs DEFAULT Auth-Type := Reject That means: If user is in group NOC, match here and authorize the user using system If user bob is coming from huntgroup diegam, match here and authorize user If user somebrusselluser is coming from huntgroup brussells, match If no matches on above, reject the user I suspect that your DEFAULT Auth-Type = system entry is at the top of your users file. Then you have some matching rules. You have a user that comes in but won't match any of your matching rules, so it will default to the auth-type = system entry that it matched at first and simply authorize the user with system. What I have above, specifies to use system when it matches each user entry or the group entry. If there is no match, then it tells you to reject the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html