Huntgroup-Name vs client:group

Óscar Remírez de Ganuza Satrústegui oscarrdg at
Fri Oct 30 17:13:54 CET 2015

Good afternoon,

We are migrating previous radius (2.1.9) authentication to a new instance
of freeradius (3.0.10).
We are moving two different configurations to a single radius.

As we are supporting AAA from diferent services, we are using
Huntgroup-Name attribute to separate the authorization.

if ( Huntgroup-Name == 'Wireless'  ) {
     if (  Ldap-Group == "unav.wireless.1" ) {
         update reply {
elsif ( Huntgroup-Name == 'Wired'  ) {
      if (  Ldap-Group == "unav.wired.1" ) {

We are doing it even on the inner-tunnel; using copy_request_to_tunnel, and
with module preprocess on the inner-tunnel.

It is working ok.

But I have just found a previous suggestion on this list [1] in which it is
suggested to check "client:group" instead of huntgroup-name:

*"do policy checking via %{client:group} instead of Huntgroup-Name.  It
will do the same thing, and will be *enormously* faster."*
In our particular setting, we have around 7 huntgroups for a total of 20
NAS-Clients. And we receive 20 different Access Requests per second on top

In our case, do you think that we are also going to experience a much
better performance using client:group instead of huntgroup-name?

I had been looking for information on client:group, but I could not find a
lot of it. [2]

Thank you very much for your help.



*Oscar Remírez de Ganuza Satrústegui*
IT Services
Universidad de Navarra
Tel. +34 948425600 x803130

More information about the Freeradius-Users mailing list