Freeradius Restrict User Auth Request Based on VLAN

Wed Jan 17 11:58:57 CET 2018

Ok I added this in RADCHECK table.

NAS-Port-Id == VLAN2

& it seems to be working fine.

Is there any way I can customized the radreply if user gets rejected dueto incorrect VLAN (for log purposes)


Example of one module I have that checks for Invalid MAC.

reject = 1
update reply {
Reply-Message := "Incorrect MAC!"
Framed-Pool := "invalid-mac-address-pool"
Mikrotik-Rate-Limit := "1k/1k"

I want something similar for the Incorrect VLAN users.

is it possible?

From: Freeradius-Users < at> on behalf of Nathan Ward <lists+freeradius at>
Sent: Wednesday, January 17, 2018 2:26 PM
To: FreeRadius users mailing list
Subject: Re: Freeradius Restrict User Auth Request Based on VLAN

> On 17/01/2018, at 10:15 PM, Alan DeKok <aland at> wrote:
> On Jan 17, 2018, at 2:12 AM, JAHANZAIB SYED <aacable at> wrote:
>> We have Mikrotik as NAS and Freeradius as billing. VLAN are configured for each dealer's area. We have few reseller/franchise managers, like Dealer-A, Dealer-B. They can create there own users in freeradius using fronted designed in php. All dealers can view/edit there own users only.
>> Sometimes it happens that Dealer-A creates ID and give it to a user/friend who is sitting in Dealer-B network, therefore from Billing perspective its a Loss of Dealer-B.
>> Can we impose some restriction so that User-ID's created by each dealer should be able to connect only from his network (or from there own VLAN) only.
>  Sure.  You need to update your DB schema and queries tho.
> - put the NASes into groups (dealer-A, dealer-B, etc.)
> - ensure that the users are somehow associated with different dealers
> - on login, look up dealer of NAS (call this NAS-dealer)
> - on login, lookup dealer of user (call this User-Dealer)
> - if User-dealer != NAS-dealer, then reject
>  More details can't be given, because your question is very high level.

Been meaning to reply to this one. It sounds like the OP has NASes (or maybe just one NAS) shared across many dealers, with one VLAN per dealer. I agree though, it is not very clear.

I would suggest looking at the NAS-Port-Id attribute and see if you can use that to figure out the VLAN interface that the subscriber comes in on - whether that works or not depends on your NAS, and I imagine the protocol - Mikrotik docs suggest that this would work for PPPoE and hotspot. You can also set “realm” per RADIUS client, and set a RADIUS client per PPPoE server. This will send the Mikrotik-Realm attribute.

You can add checks for the correct “NAS-Port-Id” or “Mikrotik-Realm” in the radcheck table.

Nathan Ward

List info/subscribe/unsubscribe? See
Support & Services<>
The world's leading RADIUS server. The project includes a GPL AAA server, BSD licensed client and PAM and Apache modules. Full support is available from NetworkRADIUS.

More information about the Freeradius-Users mailing list