FreeRadius - Cisco - Different privileges levels based on source device sending the Access-Request.

Peter Lambrechtsen peter at
Fri Jun 15 07:07:02 CEST 2018

This is exactly how I deployed it in my previous employer.

I had a structure in LDAP for the source IP address so we mapped L aka
location attribute in ldap the source IP to "Client shortname" and that was
used to identify the element type.
Then we did a search based on the user full DN in Group membership and "L"
attribute to find out which group they were a part of. Then set an control
attribute like tmp-string-0 as the element type and role or similar and log
that to linelog so you know what role they were assigned when they got

I always intended to write up a blog post about how to do this as a
cookbook. I really should do that sometime.

On Fri, Jun 15, 2018 at 12:36 PM, Coy Hile <coy.hile at> wrote:

> > On Jun 14, 2018, at 8:01 PM, Laurent Dumont <
> ldumont at> wrote:
> >
> > Hi everyone.
> >
> > We are currently experimenting with Radius and are looking to find a way
> to change the privilege levels when logging into a certain class of
> devices(and only these ones). Right now, we have the following setup.
> >
> > 1. Users attempts to log into a Cisco radius enable device.
> > 2. Device starts the auth process with an Access-Request.
> > 3. Freeradius checks the LDAP/FreeIPA backend and sends the reply with
> >   the VSA "“cisco-avpair" for the correct privilege level based on
> >   LDAP group membership.
> >
> That’s exactly how I would implement it. Based on a tuple (user, Device)
> or (userGroup, DeviceGroup), the LDAP server knows based on group
> memberships which user group(s) the user is in. Same for the device.  Query
> on the backend from most privilege to least. Most specific (User, Device),
> then (User, Device Group), (UserGroup, device), and finally (UserGroup,
> DeviceGroup). First most-specific match wins.
> You could ostensibly have an employee joe who is a network admin, so he
> gets cisco:shell-level=15 in each set of devices, but the last time he
> touched the core route reflectors, he broke the world, so you then define a
> privilege record (in LDAP) that specifically has (Joe, NoAccess).
> --
> Coy Hile
> coy.hile at
> -
> List info/subscribe/unsubscribe? See
> list/users.html

More information about the Freeradius-Users mailing list