Rejecting realms based on calling client

David Aldwinckle daldwinc at
Thu Aug 15 15:17:17 CEST 2013

Hi Alan,

Thanks for your response.

Initially FreeRadius would not start and I did get an error indicating
that the "remote_secret_reject" module failed to load. There was no reason
given even with -XXX. I found since then that I was missing a brace.

Now I can get FreeRadius to start. I still seem to be missing something
though, since my policy does not work. Here it is:

remote_secret_reject {
	if ((Realm == "") && ((Client-Shortname == "")
|| (Client-Shortname == ""))) {

In sites-enabled/default:

authorize {

Here is the log:

Aug 15 09:02:33 radius1 radiusd[3408]: Login OK:
[confS13-150 at] (from client port 44721 cli
11-22-33-44-55-66 via TLS tunnel)
Aug 15 09:02:34 radius1 radiusd[3408]: Login OK:
[confS13-150 at] (from client port 44721 cli

I have a feeling that the solution is painfully obvious but I'm just not
seeing it.


Dave Aldwinckle

On 2013-08-13 11:22 AM, "Alan DeKok" <aland at> wrote:

>David Aldwinckle wrote:
>> Is there a way that I can deny a specific realm when an access request
>> is received from a specific client?
>  Yes.
>> I tried adding something to policy.conf but I couldn't get the syntax
>  So... what happened?  Did you get an error?  Is it a secret?
>> #Prevent secretrealm from logging in off-campus
>> remote_secret_reject
>> if ("%{Realm}" == "") && ((Client-Shortname ==
>> "proxy-client1") || (Client-Shortname == "proxy-client2"))) {
>> reject
>>  }
>> Is there a different way that I should be doing this?
>  You can do it via a policy.  But you have to get the syntax right.
>See "man unlang" for documentation on the syntax.  See the policy.conf
>file for examples of working policies.
>  Alan DeKok.
>List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list