Nas-IP-Address regexp matching in hints/huntgroups working in 2.2.0 and not in 3.0.13

Alan DeKok aland at
Wed Dec 6 17:11:57 CET 2017

On Dec 6, 2017, at 11:06 AM, Gianni Costanzi <gianni.costanzi at> wrote:
> Hi,
> I'm configuring a Freeradius 3.0.13 server and I'm testing the
> configuration we have on a 2.2.0 Freeradius.
> On our 2.2.0 we've implemented some entries like the following one within
> the hints file:
> DEFAULT User-Name =~ "^(xx[e0][0-9]{3})$", NAS-IP-Address !~
> "10\.10\.1\.11[89]$", NAS-IP-Address !~ "10\.10\.2\.(10|20)$"
>        User-Name := "%{User-Name}@imp"

  Regexes on IP addresses are terrible...

> (If you are wondering why we have multiple "NAS-IP-Address !~" on a single
> line is because we've reached the maximum length for the string passed to
> !~ and so we've split the string in multiple "NAS-IP-Address !~" blocks)

  That's a v2 limitation.  v3 has removed much of that.

> The behavior we've implemented is: if username matches the regexp and
> NAS-IP-Address does not match any of the regexps on the same line, then add
> a realm to the username.
> The above configuration does not give any error but it does not work on
> 3.0.13. The same happens with huntgroups where regexp matching on
> NAS-IP-Address like the following one does not work anymore:

  Regular expressions are not supported for IP address in the "users" or "hints" or "huntgroups" file.

> So my questions are:
> 1) should regexp matching work within hints and huntgroups file for
> NAS-IP-Address in 3.0.13 as it worked in 2.2.0?


> 2) if they do not work anymore, how should I implement "if you are user
> XXXX (with regexp) and the NAS-IP-Address is not one of the listed ones,
> then do User-Name manipulation?

  Use Unlang

	if ((User-Name =~ /regex/) && \
	    ((NAS-IP-Address =~ /regex/) || \
	     (NAS-IP-Address =~ /regex/) ...

  But realistically, if you have a list of IP addresses, it's better to put them into groups, and check the group.  See "rlm_passwd", and "man rlm_passwd".

  You can create groups which match a list of addresses (no regex), and then just do group checking.

  Alan DeKok.

More information about the Freeradius-Users mailing list