Requiring a valid user-group-groupcheck before sending a response

Benjamin Oh ben at
Mon Feb 1 23:30:44 CET 2016

Is it possible to authenticate or deny a request based on the radgroupcheck
and radusergroup being 'satisfied'?  Basically I want to make sure that all
3 of the following are satisfied:

1) the user is in a proper group (radusergroup)
2) the request is coming from a valid IP (radgroupcheck using
3) the user/password is valid of course (radcheck)

The issue I have is a user can supply a valid user/password combination,
but not have the required group membership in radusergroup, but still be
pass authentication which only looks at radcheck (user/password) and
nothing else.  My desire is to be able to isolate different environments by
group and NAS-IP-Address.  There may be a much more elegant way of getting
this done, which I'm open to as well.

More information about the Freeradius-Users mailing list