Hello Cormac, For epa failure construct an epa policy same as pass, but add a ! in front of it. This will help to still continue with you authentciation flow and then you can use these failure/success groups in your sessisonaction or any policy you want and proceed. Something as follows:- add authentication epaAction epaact1 -csecexpr "sys.client_expr("proc_0_notepad")" -defaultEPAGroup EPA_PASS add authentication epaAction epaact2 -csecexpr "!sys.client_expr("proc_0_notepad")" -defaultEPAGroup EPA_FAIL then use EPA_FAIL group as your check for your sessionpolicy if needed(expression below) as follows:- "AAA.USER.IS_MEMBER_OF("EPA_FAIL")" HTH..