Pam radius client and binding to mulitple IPs

Chris Tong chrisinamsterdam at
Mon Jan 25 13:36:03 CET 2010

Hi everyone,


I realise that this maybe somewhat a limitation of the PAM Radius Plugin  for OpenVPN but have searched around for a week now to find a solution.

The problem I am having is that I have an OpenVPN "proxy hub"  that has 3 external IP addresses. I am using huntgroups to distinguish if a user can authenticate against an IP address and if so they receive an IP & default Gw to a front end proxy (each front end proxy is located in a separate country). The idea is that a user of a specific group can only connect to an interface that he is a group memeber of. The authentication uses the pam radius plugin against a backend SQL / radius server. If I connect to int1 then the requests sent by the Radius plugin to the backend radius server has a source IP of int1. This works well and the user is authenticated and is provided a default GW to the front end proxy. However if the user connects to INT2 the NAS requset still has the source IP address of INT1 and therefore the user is rejected because he is not a member of the INT1 grouping.


Is it possible to have multiple instances of the radius plugin each binding to a different interface so that the request seen by the Radius server via the PAM plugin has the correct source address? Is it possible to get the NAS to Distinguish between the interfaces?


Cheers to all in advance (",)


New Windows 7: Find the right PC for you. Learn more.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list