Device specific Access-Accept attributes and granular user group control

Peter Lambrechtsen plambrechtsen at
Fri Feb 5 00:58:05 CET 2010

This is how I did it using LDAP.

I would recommend using LDAP over MySQL, as normally you would have a
Corporate LDAP directory (Active Directory, or eDirectory or similar) and
managing access to your Radius system from Groups based in the LDAP is a
little easier than messing around with your MySQL database.

But that's just me.

On Fri, Feb 5, 2010 at 12:45 PM, Matt Hite <lists at> wrote:

> Hello --
> I am running freeradius2-2.1.7 with MySQL as the backend datastore.
> I've got a deployment up and running supporting the admin login to
> about 200 switches from a single vendor. I'm looking to expand my
> deployment and thus some new requirements have surfaced.
> Requirements:
> - Different brands of gear should get different VSAs and/or general
> attributes returned in Access-Accept messages. For example, if I log
> in from a Cisco device, I should get a different RADIUS attribute sent
> back than when logging in from a F5 or a NetScreen.
> - Some users can log into certain groups of devices, others should not
> be able to
> I'm fairly certain the #2 requirement will require the user of
> huntgroups. Does anyone have any idea how to accomplish requirement
> #1?
> Thanks for your help in pointing me in the right direction.
> -
> List info/subscribe/unsubscribe? See
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list