Device specific Access-Accept attributes and granular user group control

Alan DeKok aland at
Fri Feb 5 09:00:02 CET 2010

Matt Hite wrote:
> - Different brands of gear should get different VSAs and/or general
> attributes returned in Access-Accept messages. For example, if I log
> in from a Cisco device, I should get a different RADIUS attribute sent
> back than when logging in from a F5 or a NetScreen.

  It's not well known, but the configuration files can be used as a
simple database.  Any "well formed" text will be accepted, and can be
lookup up later.  e.g.:

client foo {
	ipaddr = ...
	secret = ...
	myfield = cisco

  Then when processing a packet:

	if ("%{client:myfield}" == "cisco") {

  You can define your own data, and put each device into it's own
"group", simply by adding a field to each "client" entry.  Then, return
the appropriate attributes for each type of client.

> - Some users can log into certain groups of devices, others should not
> be able to

  Use the same thing, but also using "groups" for the users.

client foo {
	class = foo

	Then in a processing section (authorize, etc.)

	if ((Group == "limited") && ("%{client:class}" != "foo")) {

  If you don't want "unix" groups, see "man rlm_passwd".

  Alan DeKok.

More information about the Freeradius-Users mailing list