different user perms for different clients

Pat Cain moftsd at gmail.com
Thu May 7 02:52:44 CEST 2015

FreeRADIUS Version 3.0.7


I'm migrating to freeradius from Radiator, and the configuration files are
very, very different, so I'm looking for some conceptual guidance, or some
working examples.

Essentially, I'm just not getting it when it comes to configuring a
different list of users for each freeradius client.  Not sure if I'm
supposed to use huntgroups or features within client definitions.

The background:

We use Radius to authenticate access to Cisco switches (and some APC UPS
devices).  Our switches are mostly managed solely by a group of admins
(users useraa, userbb, and usercc), and a user userdd with read-only

Our Cisco switches are currently all statically listed as follows (in

client coswe008 {
    ipv4addr =
    secret = leauth
    nas_type = cisco

I have a file with our info configured in /etc/raddb/mods-enabled/passwd:

passwd fss_passwd {
    filename = /usr/local/etc/raddb/fss-users.passwd
    delimiter = |
    format =
    hash_size = 100
    ignore_nislike = yes
    allow_multiple_keys = no

and the contents of fss-users.passwd:

# File Format is (extra spaces around the '|' for ease of reading)
#  User-Name | Crypt-Password | Service-Type | Cisco-AVPair |

and this works fine.

What I'd like to be able to change, though, is for userdd to have admin
access to two of our switches, and read access to all the rest.

The essence of this question is how do I customize the user list for each
client? Is it a huntgroup, or a conditional include in the clients.conf

Thanks for what you can offer on this topic,

PS - is there an archive for this list that can be searched?

More information about the Freeradius-Users mailing list