> Why don't you just do whatever "if()" logic before adding the attributes?
It's complicated :-) Partly it's policy. We configure as much of this logic in users files as possible, because they can be updated without needing to restart radiusd. But in future it will be a necessity. The project I'm working on involves authenticating users based on some attribute which identifies their physical location, not their User-Name. So decisions you might have made in the past solely based on realm and NAS-IP (e.g. tunnel to X) have to be made after a database lookup. That database lookup may add reply attributes, which will be needed by the terminating LNS, but not when tunnel switching. So if the database identifies the user as category X, *and* the request comes from NAS-IP Y, then we have to strip the reply attributes and replace with tunnelling ones. Regards, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html