Restricting dialup users to certain client definitions only

Todd R. tjrlist at
Fri Dec 19 22:30:28 CET 2008

Jeff & List,

 Thanks, this seems fairly simple so I gave a whirl.. For the last two hours
or so :( No joy.. 

Of course, it's entirely possible I totally missed your point.

Here is what I tried:

I have a user called "user" who is assigned to the "dialusers-t" user group
in the "radusergroup" table.

I am using NTradPing from my laptop located at let's say which
correctly shows up in the debug as Client-IP-Address.

Now I wanted to test to see if I could put a rule (based on what you showed
me) into the radcheck table and get a reject in my test client based on the
fact that the Client-IP-Address I am connecting from with my test client is
not the one allowed in my radcheck table for the group the user belongs to.

Here is the rule:
ID: xxx
GroupName: dialusers-t
Attribute: Client-IP-Address
OP: ==

So, I thought that this would not allow a user from a client ip unless it
was So I tried to auth from my test client located at an IP
address OTHER than and I still get an accept.

I have played around with different operators and such but still no luck.

Any ideas?


 Todd R.

-----Original Message-----
From: at
[ at lists.freeradius.
org] On Behalf Of Jeff Crowe
Sent: Friday, December 19, 2008 1:00 PM
To: FreeRadius users mailing list
Subject: RE: Restricting dialup users to certain client definitions only

Hi Todd,

I am using FR & MySQL and have the following in my radgroupcheck table to
limit my dialup customers from connecting to my dsl aggregators.  I have
created different Groups (dialup & dsl for simplicity).  In the dialup group
I have rule that reads:

ID: xxx
GroupName: dialup
Attribute: NAS-IP-Address
OP: !~
Value: (|

This prevents any user in FR with a group of dialup from connecting to a NAS
device with an IP of or .2

Hope this gives you an idea on where to limit your customers.


More information about the Freeradius-Users mailing list