Grouping different kinds of clients and returning different attributes

Alan DeKok aland at
Fri Feb 13 09:44:00 CET 2009

David Bailey wrote:
> The problem is that although I have some 250 client definitions in
> clients.conf, I'd rather avoid using 250 definitions in users.
> I'm trying to find a way to categorize the RADIUS clients into Cisco, HP,
> etc.

  You could use groups.  See "man rlm_passwd" for examples.  You can
create groups based on any criteria.  Then, just do group checking.

> What I was trying to do was to give each client a name:
> client {
>   ipaddr =
>   secret = supersecret
> }
> client {
>   ipaddr =
>   secret = alsoverysecret
> }

  One undocumented feature is that you can put *anything* into the
configuration, so long as it is the correct format:

client a {
	ipaddr =
	secret = foo
	vendor = cisco

  FreeRADIUS will load the "vendor" entry, but it won't do anything with
it. You can then create rules bases on that,

> And then build something to refer to them in the users file along the lines
> of:

  Don't use the "users" file.  See "man unlang" for a better wy.

> DEFAULT Client-Shortname =~ "Cisco_IOS.*", User-Name := "someadmin",
> Cleartext-Password := "goodpassword"
>   Service-Type = NAS-Prompt-User

  Don't use ":=" for User-Name.  See "man users" for why.

> I'm having some problems, so I'm either missing something, or I'm going down
> an entirely wrong path. I got the "Client-Shortname" from the Run-time
> variables page in the Wiki, but I suspect it isn't evaluating like I think
> it ought to.

  Try unlang:

authorize {

	if ("%{client:vendor}" == "cisco") {

  This says: look up the current client (for this request), and find the
"vendor' entry.  If that is "cisco", then do... something.

  It's a lot clearer to understand than the "users" file.

  Alan DeKok.

More information about the Freeradius-Users mailing list