Multiple shared secret per IP?

Chris Taylor (chtaylo2) chtaylo2 at
Mon Feb 20 19:34:08 CET 2017

I found an interesting work around for anyone interested. 
If you have a need to have dual secret keys per IP address, the following seems to work:

1.) Create a new listener in sites-enabled/default
a. You’ll want to listen on a different port
b. Enable:  clients = per_socket_clients
2.) In your clients.conf add:

clients per_socket_clients {
       client socket_client {
               ipaddr = XX.XX.XX.XX
               secret = Monitor_Agent

The default listener will continue to use the normal client shortname, while the new listener will use the secret key from socket client. This probably isn’t want this is intended for, but does work!

On 2/13/17, 3:53 PM, "Freeradius-Users on behalf of Chris Taylor (chtaylo2)" < at on behalf of chtaylo2 at> wrote:

    Thank you all. I think running a secondary IP might be the way to go here. A lot of good suggestions.
    On 2/13/17, 12:14 PM, "Freeradius-Users on behalf of Peter Lambrechtsen" < at on behalf of peter at> wrote:
        On 14/02/2017 05:52, "Brian Candler" <b.candler at> wrote:
        On 13/02/2017 14:47, Chris Taylor (chtaylo2) wrote:
        > user: monitor
        > source IP:
        > secret: MonitorAgent
        > ^ - That’s easy. To complicate, I need to also authenticate real users
        > from the same source server, using a different shared secret.  (anyone can
        > view the one above, so not secure) Ideally, I’d like to also lockdown the
        > above secret key, to the single user.
        Could you add a second IP address to the server (i.e. an alias), and bind
        to that when sending your test queries?
        I was just wondering about to reply and say exactly the same thing.
        On my development server I have bound 6 secondary IP addresses to it and
        In the first line of the request.
        The other option as suggested is to add multiple IP addresses on the server
        or a listen statement in the configuration with a new port and use a per
        port clients to specify the shared secret.
        In the end after various different ways of achieving it I created my own
        custom VSA and include that in the request to determine the NAS type. Then
        for normal NASes I use client shortname and make decisions in code. And for
        my development server I don't define client shortname and pass it in as an
        additional VSA.
        List info/subscribe/unsubscribe? See
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4054 bytes
Desc: not available
URL: <>

More information about the Freeradius-Users mailing list