Freeradius Restrict User Auth Request Based on VLAN

Wed Jan 17 10:25:44 CET 2018

What if we have only single NAS?

All users are pppoe base and connects to single main NAS.

From: Freeradius-Users < at> on behalf of Alan DeKok <aland at>
Sent: Wednesday, January 17, 2018 2:15 PM
To: FreeRadius users mailing list
Subject: Re: Freeradius Restrict User Auth Request Based on VLAN

On Jan 17, 2018, at 2:12 AM, JAHANZAIB SYED <aacable at> wrote:
> We have Mikrotik as NAS and Freeradius as billing. VLAN are configured for each dealer's area. We have few reseller/franchise managers, like Dealer-A, Dealer-B. They can create there own users in freeradius using fronted designed in php. All dealers can view/edit there own users only.
> Sometimes it happens that Dealer-A creates ID and give it to a user/friend who is sitting in Dealer-B network, therefore from Billing perspective its a Loss of Dealer-B.
> Can we impose some restriction so that User-ID's created by each dealer should be able to connect only from his network (or from there own VLAN) only.

  Sure.  You need to update your DB schema and queries tho.

- put the NASes into groups (dealer-A, dealer-B, etc.)
- ensure that the users are somehow associated with different dealers
- on login, look up dealer of NAS (call this NAS-dealer)
- on login, lookup dealer of user (call this User-Dealer)
- if User-dealer != NAS-dealer, then reject

  More details can't be given, because your question is very high level.

  Alan DeKok.

List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list