Thank you all. I think running a secondary IP might be the way to go here. A lot of good suggestions. On 2/13/17, 12:14 PM, "Freeradius-Users on behalf of Peter Lambrechtsen" <freeradius-users-bounces+chtaylo2=cisco.com@lists.freeradius.org on behalf of peter@crypt.nz> wrote: On 14/02/2017 05:52, "Brian Candler" <b.candler@pobox.com> wrote: On 13/02/2017 14:47, Chris Taylor (chtaylo2) wrote: > user: monitor > > source IP: 64.0.0.1 > > secret: MonitorAgent > > > ^ - That’s easy. To complicate, I need to also authenticate real users > from the same source server, using a different shared secret. (anyone can > view the one above, so not secure) Ideally, I’d like to also lockdown the > above secret key, to the single user. > > > Could you add a second IP address to the server (i.e. an alias), and bind to that when sending your test queries? I was just wondering about to reply and say exactly the same thing. On my development server I have bound 6 secondary IP addresses to it and use Packet-Src-IP-Address In the first line of the request. http://lists.freeradius.org/pipermail/freeradius-devel/2012-October/007185.h... The other option as suggested is to add multiple IP addresses on the server or a listen statement in the configuration with a new port and use a per port clients to specify the shared secret. In the end after various different ways of achieving it I created my own custom VSA and include that in the request to determine the NAS type. Then for normal NASes I use client shortname and make decisions in code. And for my development server I don't define client shortname and pass it in as an additional VSA. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html