Multiple shared secret per IP?

Peter Lambrechtsen peter at
Mon Feb 13 18:14:26 CET 2017

On 14/02/2017 05:52, "Brian Candler" <b.candler at> wrote:

On 13/02/2017 14:47, Chris Taylor (chtaylo2) wrote:

> user: monitor
> source IP:
> secret: MonitorAgent
> ^ - That’s easy. To complicate, I need to also authenticate real users
> from the same source server, using a different shared secret.  (anyone can
> view the one above, so not secure) Ideally, I’d like to also lockdown the
> above secret key, to the single user.

Could you add a second IP address to the server (i.e. an alias), and bind
to that when sending your test queries?

I was just wondering about to reply and say exactly the same thing.

On my development server I have bound 6 secondary IP addresses to it and


In the first line of the request.

The other option as suggested is to add multiple IP addresses on the server
or a listen statement in the configuration with a new port and use a per
port clients to specify the shared secret.

In the end after various different ways of achieving it I created my own
custom VSA and include that in the request to determine the NAS type. Then
for normal NASes I use client shortname and make decisions in code. And for
my development server I don't define client shortname and pass it in as an
additional VSA.

More information about the Freeradius-Users mailing list