Setting different IDLE-TIMEOUTS based on IP Address

Matthew Newton mcn4 at
Tue Apr 16 22:47:27 CEST 2013


On Tue, Apr 16, 2013 at 02:05:45PM -0500, John Giordano wrote:
> So I man’ed unlang and then did some more reading on huntgroups
> and the users file.  If at all possible I think we would opt for
> a combo of the huntgroups/users file approach.  I am still not
> clear as to how we would do this though….
> Could you please speak to the interrelationship between the
> clients file and the huntgroups file?

The clients file lists clients (NASes) that can talk the the

The huntgroups file (read by the preprocess module, not the files
module as in the comments at the top of the file) is used to match
incoming request attributes to set the Huntgroup-Name attribute,
which can be further used to set other attributes in the reply
(for example, in the users file, or by using unlang).

The users file (read by the files module) can match on request
attributes to set reply attributes. The standard lookup is for
User-Name; this can be changed, or a DEFAULT entry can be used to
match anything else.

> My first question is that every huntgroups file example I have seen on the Net uses a per NAS definition:
> raleigh        NAS-IP-Address ==
> raleigh        NAS-IP-Address ==
> raleigh        NAS-IP-Address ==
> premium        NAS-IP-Address ==, NAS-Port-Id == 0-4
>                Group = premium,
>                Group = staff
> I would rather not have to define 254 different entries in our
> huntgroups file (254 hosts in a Class C obviously).  Can I use a
> netmask somehow in the huntgroups file?

It's a check list, so you should be able to use any standard check
operator - so try regex, for example:


foo   NAS-IP-Address =~ /^10\.2\.3\./
bar   NAS-IP-Address =~ /^10\.4\.9\./

users: (add these at the *top* of the file)

DEFAULT   Huntgroup-Name == foo
          Idle-Timeout := 600
          Fall-Through := yes

DEFAULT   Huntgroup-Name == bar
          Idle-Timeout := 1200
          Fall-Through := yes

> In pseudo parlance this is what I am trying to accomplish in huntgroups:
> MSP 7345’s NAS-IP-Address ==
>                 IDLE-TIMEOUT = 1800
> SNJ 7000 NAS-IP-Address ==
>                 IDLE-TIMEOUT = 60

Note that Client-IP-Address is sometimes better than
NAS-IP-Address (it can't be spoofed, which may be the case if you
process proxied requests from RADIUS servers out of your own
control), but Client-IP-Address can *not* be used in the
huntgroups file as it only looks at the incoming request
attributes, of which Client-IP-Address is not. If this is a
concern there are ways of getting around it. One is to use unlang
instead of the huntgroups file, as Alan suggested.

Note the above splits the config over two locations. If you want
to keep it all in one place, use unlang like Alan said. If it
doesn't look tidy, put it in the policy.conf file and then call
the policy name instead.


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list