users file for NULL realm, LDAP for another

Phil Mayers p.mayers at
Fri Jul 21 13:27:15 CEST 2006

John Keimel wrote:
> I have two Freeradius servers, one of which authenticates MAC addresses 
> for wireless, the other usernames at for some other network 
> access.
> I'd like to combine the two of them into one server. If the username 
> comes through without a realm (a MAC address) I'd like it to check the 
> users file. If it comes through with a realm, just check LDAP. If the 
> MAC address fails, it should never ever check LDAP. That just beats up 
> the LDAP server and the LDAP admin yells (with good reason!).

Use Autz-Type and 2nd files module, like so

modules {
   files {
     usersfile = ${confdir}/users
   files files2 {
     usersfile = ${confdir}/users2
   ldap {

authorize {
   Autz-Type MAC {
   Autz-Type USER {

in ${confdir}/users:

DEFAULT User-Name =~ ".*", Autz-Type := USER

DEFAULT Autz-Type := MAC

in ${confdir}/users2:

00-11-22-33-44-55 Whatever-Attributes == "somevalue"
	Reply-Attribute-1 = foo,
	Reply-Attribute-2 = bar

> Should I be looking to do this just in the radiusd.conf? Or should I be 
> attempting to mangle some kind of proxy arrangement? Would anyone care 
> to share any sample configs for such a thing? It looks to me like there 
> may be several ways to do this and I'd like to spend the time building 
> up the best method. Proxy? Autz-type?


Proxy is really intended for if you're going to send the request on 
somewhere else. It *can* strip the username, but there are easier ways 
to do it.

You could also configure a huntgroup based on various attributes e.g.


ethernet NAS-Port-Type == Ethernet

vpn NAS-Port-Type == Async, NAS-IP-Address == my.vpn.server.ip


DEFAULT Huntgroup-Name == "ethernet", Autz-Type := MAC

DEFAULT Huntgroup-Name == "vpn", Autz-Type := USER

...and so on

More information about the Freeradius-Users mailing list