Newbie question... using different authentication sources?

Ben Humpert ben at
Mon May 25 23:21:03 CEST 2015

2015-05-25 21:41 GMT+02:00 José Queiroz <zekkerj at>:
> Hi,
> I'm trying to set up a freeradius server to serve two clients, each of them
> an independent wireless network. The first one uses WPA2-Enterprise, and is
> expected to authenticate our users based on our internal LDAP server.
> The second one is a guest/open network, where users will pass their
> credentials in a captive portal, and are expected to be authenticated by a
> MySQL database.
> Problem is, both networks are covering the same area, and users of one of
> them is not allowed to use the other.
> I tried to set up radiusd.conf to include the appropriate modules, but I
> noticed that if the user sends a valid credential in the wrong network, it
> still gets authenticated.
> So, how can I enforce that users from NAS-IP-Address 1 get authenticated
> only by MySQL, and NAS-IP-Address 2 only on LDAP?

You want to check the huntsgroup stuff. It allows you to put NAS' into
groups and specify which Radius server to use for a given group. You
don't have to setup multiple Radius servers, just specify virtual ones
(sites-enabled) with a different port and that's it.

> I'm using FreeRADIUS 1.1.7 on Suse SLES 10 SP4. I have some machines with
> SLES 11 SP3, which will give me FreeRADIUS 2.1.1, but I prefer not using
> them by now, for several reasons.

If that old version does not support huntsgroup you sadly have to
upgrade. at least 2.1.12 supports it.

More information about the Freeradius-Users mailing list