How to configure freeradius server to authenticate VSA attribute

[Jibin Han]

Hi,

I am using freeradius v2.1.12 on Ubuntu 16.04, I need to configure it so that it will authenticate the incoming RADIUS messages based on their Vendor Specific Attributes. I looked over freeradius.org, it is not clear how to do that, hence ask people in this group.

Here are the details -

  1.  We have an in-house developed RADIUS client software which creates a RADIUS access request message and sends to freeradius server.
  2.  The configuration of freeradius server is ready: when the client message has the right user/password, we can receive accept message; otherwise reject message. The authentication is PAP.
  3.  Now we insert VSA attribute: the code is 26, the vendor id is our vendor's ID and the custom name and value.
  4.  Our goal is, make freeradius server authenticate not only user/password, but also this VSA - when an invalid name/value are put into VSA, freeradius sends reject message.

I check out dictionary, but that seems just some name mapping, I do not think it authenticate attributes.

Could you point me the direction how this could be done and preferably with some examples?

I can upgrade to freeradius v3 if it is required.

Thanks a lot!