Freeradius Restrict User Auth Request Based on VLAN

Thu Jan 18 04:54:58 CET 2018

- For some reasons we are still on 2.x series version. Will add unlag query once upgrade to 3.x.

- by module I mean to say that for vlan checking I have added sql query in the authorize section. I wanted to make a module like 'checkvlan_module' in ./modules folder & then call it from sites-enabled/default file, & based on the result returned by the 'checkvlan_module' i can take action.

One Example:

#reject = 1
#update reply {
#Reply-Message := "Quota Limit Exceed!"


From: Freeradius-Users < at> on behalf of Nathan Ward <lists+freeradius at>
Sent: Thursday, January 18, 2018 4:48 AM
To: FreeRadius users mailing list
Subject: Re: Freeradius Restrict User Auth Request Based on VLAN

> On 18/01/2018, at 12:47 AM, JAHANZAIB SYED <aacable at> wrote:
> Respected Nathan Ward,
> I just tested following & worked ok,

Awesome !

> if ("%{sql: select vlanid from users where username = '%{User-Name}'}" != "%{NAS-Port-Id}") {
>  update reply {
>                Reply-Message = 'You are not allowed to connect from this VLAN'
>    }
> update control {
> Auth-Type := "Reject"
> }
> }
> Any suggestions to improve this? is this approach OK?

Looks OK to me.

> can I make module for it ? and based on return result , take action? in checkval/expiration modules?

What do you mean “make a module for it” - you can make modules for anything you want.

Don’t use checkval: <>
What do you want the expiration module to do here exactly?

Nathan Ward

List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list