Proxy decision based on LDAP lookups and Radius_client match.

Frank Skovboel fs at
Tue Nov 1 08:45:30 CET 2011

Hi Alan,

Thank you for your help, it's up and running now, I do have a few follow up questions to try and see if I can make changes to the configuration a bit more simple.

Is there a way to refer to the client shortname in the sites-enabled/default authorize section, so I only need to have the IP in one place? or even better is there a way I can group clients so I can test on the group in sites-enabled/default authorize section? .. so the only place the IP exists is in the clients.conf, and then I can group them, so I only have one if / elsif statement per company?

client {
 secret = mysecret
 shortname = CompanyA_client1

client {
 secret = mysecret
 shortname = CompanyA_client2

huntgroups file
CompanyGroupA CompanyA_client1
CompanyGroupA CompanyA_client2

 if (CompanyGroupA == Packet-Src-IP-Address) {
 elseif (CompanyGroupB == Packet-Src-IP-Address) {

So to setup a new radius client for a customer I would only have to add the radius client, and add that radius client to the company's clients group?

> Frank Skovboel wrote:
> > Where would I place this (what file under which section?), and do I
> > need to do some thing special to make sure it does not try to
> > authenticate the user?
>   In the "authorize" section.  Look at raddb/sites-available/default.
> There are examples of using the "ldap" module.
> > Where can I read about the response codes that I can expect on
> > "found user" and "user not found" ?
>   $ man unlang
> > "else proxy it" is that about using update control ?
>   Yes.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

Thank you,

More information about the Freeradius-Users mailing list