How to Reject Anonymous Identity

Selahattin Cilek selahattin_cilek at
Fri Nov 2 17:08:32 CET 2018

I use FreeRADIUS 3.0.17 to provide services on a site. Ever since I 
stepped into the world of RADIUS, I have been dealing with the issue of 
"anonymous" users. I have been abusing the *Class* attribute work around 
the problem, but after some deliberation, I've decided that it would be 
best if I could reject anonymous users right away.

I already have a MySQL stored procedure named "is_login_allowed" that 
checks if a user is in a locked state or not and I use it like this in 
the *authorize* section of the *default*, *inner-tunnel-ttls*, 
*inner-tunnel-peap* sites:

     if ("%{sql: CALL is_login_allowed('%{User-Name}')}" == "0" ) {


Currently, this store procedure can check if a user with a given name 
exists in the database, and if not, return *0* to make FreeRADIUS to 
reject access to that user.

What I'd like to know though is that if there is a better, more elegant 
FreeRADIUSy way of achieving the same goal. For example, would something 
like below work?


if("%{outer.request.UserName}" != "%{inner.request.UserName}"){




This email has been checked for viruses by Avast antivirus software.

More information about the Freeradius-Users mailing list