freeRadius/LDAP per NAS access

Guy guy at
Tue Mar 8 13:54:41 CET 2011

On 7 Mar 2011, at 22:14, Alexander Clouter wrote:

> Guy <guy at> wrote:
>> I now have FreeRadius granting access and using LDAP for username and 
>> password information.
>> My next challenge, using the same Radius and LDAP server I would like 
>> to grant different users access via different NAS clients.
>> eg in LDAP I would have:
>> uid=guy
>> services: VPN
>> services: WiFi
>> If I have the "services: VPN" then I would be allowed to connect to 
>> the VPN server and if I don't have that entry in my LDIF then it would 
>> not be allowed to access.
>> Any ideas on how to do this, simply?
> ..."Dear Lazyweb" eh?  You should really *attempt* to try, or show you 
> have attempted something, 

Dear Teacher", just like back at school "Please show your working.." :)

I did spend quite some time searching for the answer, however documentation "end-to-end" seems to be a little lacking.

> Now use "%{client:keyword}" in your LDAP xlat search query...

Thanks for the the hints.. I've now got this to work...

In modules/ldap

I changed filter to: 

	filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(authorizedService=%{client:service}))"

Then in clients.conf.. just added a an entry to each client:

client VPN_Server {
	secret	= ssshhh!
	shortname	= vpn
	nastype	 = other
	service = VPN

And finally for each user in the LDAP database I add the entry:

authorsizedService: VPN

That's it I can now control access to each client via VPN data.

> To be honest though, your approach *abuses* LDAP, you should be adding 
> them to a *group*, not bloating-up and overloading the user object; 
> otherwise you might as well use something horrible like SQL...

I would argue that point most strongly but this is not the place..

Thanks again for the help


> Cheers
> -- 
> Alexander Clouter
> .sigmonster says: A woman can never be too rich or too thin.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list