Freeradius Restrict User Auth Request Based on VLAN

Wed Jan 17 12:47:37 CET 2018

Respected Nathan Ward,

I just tested following & worked ok,

if ("%{sql: select vlanid from users where username = '%{User-Name}'}" != "%{NAS-Port-Id}") {
  update reply {
                Reply-Message = 'You are not allowed to connect from this VLAN'
update control {
Auth-Type := "Reject"

Any suggestions to improve this? is this approach OK?

can I make module for it ? and based on return result , take action? in checkval/expiration modules?

From: Freeradius-Users < at> on behalf of Nathan Ward <lists+freeradius at>
Sent: Wednesday, January 17, 2018 4:07 PM
To: FreeRadius users mailing list
Subject: Re: Freeradius Restrict User Auth Request Based on VLAN


> On 17/01/2018, at 11:58 PM, JAHANZAIB SYED <aacable at> wrote:
> Ok I added this in RADCHECK table.
> NAS-Port-Id == VLAN2
> & it seems to be working fine.

Awesome !

> Is there any way I can customized the radreply if user gets rejected dueto incorrect VLAN (for log purposes)
> ------------------------
> Example of one module I have that checks for Invalid MAC.
> checkval{
> reject = 1
> }
> if(reject){
> ok
> update reply {
> Reply-Message := "Incorrect MAC!"
> Framed-Pool := "invalid-mac-address-pool"
> Mikrotik-Rate-Limit := "1k/1k"
> }
> }
> I want something similar for the Incorrect VLAN users.
> is it possible?

Not really, doing it the way you are now with radcheck - it doesn’t tell you which didn’t match, it tells you that there were no matches for all of the conditions.

2 options off the top of my head (others may have better ideas):
1) Use radcheck, if it rejects, use sql xlat to check if there is a user match but not a NAS-Port-Id match.
2) Instead of adding NAS-Port-Id to radcheck, if it is successful use sql xlat to check a different table which has a Username and NAS-Port-Id columns, and validate that the NAS-Port-Id matches that username, and then you know that username auth was successful but “dealer” auth was / was not.

(1) is probably faster (1 query for successful auth), (2) is probably conceptually easier to understand for people in the future who have to debug this.

Nathan Ward

List info/subscribe/unsubscribe? See
Support & Services<>
The world's leading RADIUS server. The project includes a GPL AAA server, BSD licensed client and PAM and Apache modules. Full support is available from NetworkRADIUS.

More information about the Freeradius-Users mailing list