restricting users access to clients?

Matt Ashfield mda at
Fri Apr 20 17:51:06 CEST 2007

HI, I realize this was a thread from over a month ago, but thought I'd ask
anyway. I have my original post, followed by your reply, followed by my new

First off, my original post:
>We're using FreeRadius to authenticating our wireless users (who's
>credentials are stored in LDAP). But we'd also like to use it to
>authenticate a select few users who need access to our networking gear. Our
>networking gear is setup to do this, but I'm not sure how to set this up in
>I would assume that you'd specify in the clients.conf section which users
>are allowed access to that device, but in looking at the documentation for
>clients.conf, that doesn't seem to be the case.
And your reply:
You would want to use the special username DEFAULT.  (Check the man page
for users(5).)

What I did (although this might be slightly hackish.) is I took a look
at the attributes in the request that was being sent by the supplicant.
I looked for attributes that were different between the wireless users
and the network equipment users.  For example, you might want to do
something like:

"admin1"  NAS-Port-Type == "Virtual", Auth-Type = LDAP

"admin2"  NAS-Port-Type == "Virtual", Auth-Type = LDAP

# This matches everyone else
DEFAULT   NAS-Port-Type == "Virtual", Auth-Type := Reject

# This will match all wireless users
DEFAULT   NAS-Port-Type == "Wireless-802.11", Auth-Type = LDAP

Of course, this will mean that your network admins will *only* be able
to login via LDAP.  You may need to configure some kind of Fall-Through
if you want users to authenticate using some other mechanism in addition
to LDAP.  So this is not without its limitations, but this should give
you some ideas to start from.
John Guthrie
guthrie at

My question here is, would doing what you mentioned above eliminate the
possibility of users other than admin1 or admin2 authenticating to the
network via that switch? What we're trying to do is rather odd I guess. On
one hand, we want to use the switch as an 802.1x device for regular use. So
it has to be able to authenticate at the switch port level via 802.1x. We
currently have huntgroups for that and it works. 
We'd ALSO like to be able to use Radius to authenticate our comms staff when
they telnet/login to switches mgmt interfaces. So while I think your
suggestion above would work for that part, it would at the same time deny
all my 802.1x users because of the Reject statement?

I'm a bit confused, so any help is appreciated.


More information about the Freeradius-Users mailing list