Additional Restrictions for users

William Burnett burnett.w at
Fri Sep 24 22:07:44 CEST 2010

I currently have my RADIUS servers setup to handle authentication for
my various NAS's to grant users access to network resources.

I would like to use the same servers to handle authentication for SSH
for various routers. This all works, but I'm having a hard time
getting the RADIUS server to only accept requests from users of the
"ssh" group. I obviously don't want john.doe accessing my core

What is the best way to go about this? I was trying to use unlang to
query my database but can't seem to get the syntax right.

contents of sites-enabled/default:

...authorize {


if (Service-Type == "Login-User")
                if ( %{group_membership_query} == "ssh") {
                        update reply {
                else {
                         update reply {
                                  Auth-Type := Reject

The group_membership_query would reference this:

group_membership_query = "SELECT groupname \
          FROM ${usergroup_table} \
          WHERE username = '%{SQL-User-Name}' \
          ORDER BY priority"

Any help/suggestions would be much appreciated.


William Burnett
burnett.w at

More information about the Freeradius-Users mailing list