limiting login for particular purpose

Matthew Newton mcn4 at
Sun May 22 17:54:50 CEST 2016

On Sun, May 22, 2016 at 12:49:09AM +0200, dump at wrote:
> I want to add a small administration page and I want to use radius via
> php too for authentication of the admin. But I want to ensure that the
> administration account can only be used for login into the
> administration section and not for login into the WiFi-net.
> I don't want to use realms for this purpose. I thought using the
> Auth-Type directive in the radcheck or radgroupcheck table and
> forbidding EAP authentication could be a possibility. But I don't know
> how to arrange this.
> Does somebody have some hints or another possibility for achieving the
> described above?

Look at the wireless auth packets and the web site auth packets.
Find some difference between them (missing Calling-Station-Id,
differnet NAS-IP-Address, Service-Type etc) and either put
radcheck entries to reject the connection for those, or just use
unlang to reject in the case you don't want to allow access.


if (&NAS-IP-Address != "" && User-Name == "webadmin") {


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list