replay with different attributes depending on NAS

Alan DeKok aland at
Tue Apr 17 21:37:07 CEST 2018

> On Apr 17, 2018, at 3:32 PM, Mathew Howard <Mathew at> wrote:
> I have a situation where I need to reply with different attributes depending on what NAS the request comes from. Currently, it we're doing this with a microsoft radius server, and it has the ability to do a check for the NAS-identifier, and match different policies, depending on what that is, but I haven't been able to figure out how to duplicate that in freeradius.

  See the examples in raddb/sites-enabled/default

	if (NAS-Identifer == "foo") {
		update reply {
			Reply-Message = "Hello, foo"

  The next step is to determine what you mean by "policies".  You can just write if / then / else rules in unlang, and do whatever you want.

  If you want to use the same policy in multiple places, see raddb/policy.d/.  It contains multiple files with example policies.  You can create your own.  Think of them as almost subroutines.

  Once you define a policy "foo", you can do:

	if (NAS-Identifer == "foo") {

  And it will run the policy "foo"/

> Basically, what I'm trying to do is do a check to see if the user matches belongs to group 1, then check if NAS-identifier=A and reply with atttribute x, or if NAS-identifier=B, then reply with attribute y.
> Is there an easy way to do this, that I'm missing?

  See the default configuration && documentation.  There are many, many, examples of doing this.  Just write if / then / else statements to do whatever you want.

  Alan DeKok.

More information about the Freeradius-Users mailing list