Hi Alan, Thanks for your response. Initially FreeRadius would not start and I did get an error indicating that the "remote_secret_reject" module failed to load. There was no reason given even with -XXX. I found since then that I was missing a brace. Now I can get FreeRadius to start. I still seem to be missing something though, since my policy does not work. Here it is: remote_secret_reject { if ((Realm == "secret.campus.ca") && ((Client-Shortname == "proxy1.net") || (Client-Shortname == "proxy2.net"))) { reject } } In sites-enabled/default: authorize { Š remote_secret_reject Š } Here is the log: Aug 15 09:02:33 radius1 radiusd[3408]: Login OK: [confS13-150@secret.campus.ca] (from client proxy1.net port 44721 cli 11-22-33-44-55-66 via TLS tunnel) Aug 15 09:02:34 radius1 radiusd[3408]: Login OK: [confS13-150@secret.campus.ca] (from client proxy1.net port 44721 cli 11-22-33-44-55-66) I have a feeling that the solution is painfully obvious but I'm just not seeing it. Thanks, Dave Aldwinckle On 2013-08-13 11:22 AM, "Alan DeKok" <aland@deployingradius.com> wrote:
David Aldwinckle wrote:
Is there a way that I can deny a specific realm when an access request is received from a specific client?
Yes.
I tried adding something to policy.conf but I couldn't get the syntax right:
So... what happened? Did you get an error? Is it a secret?
#Prevent secretrealm from logging in off-campus remote_secret_reject if ("%{Realm}" == "secretrealm.ca") && ((Client-Shortname == "proxy-client1") || (Client-Shortname == "proxy-client2"))) { reject }
Is there a different way that I should be doing this?
You can do it via a policy. But you have to get the syntax right. See "man unlang" for documentation on the syntax. See the policy.conf file for examples of working policies.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html