Seems that I'm slowly getting it.
> To authorize subscriber you should make a decision based on both > subscriber profile and authentication result. This is what post-auth > section does. Put your authorization policies in this section. So do I understand this correctly: if I, for example, want to put a client into a VLAN according to the EAP-TLS certificate issuer, the recommended way to to that is to use unlang to check %Client-Cert-Issuer in the post-auth section and use the "update reply" command to set the Tunnel-Private-Group-Id reply attribute? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
