How to configure freeradius server to authenticate VSA attribute

Alan DeKok aland at
Sat Mar 10 12:50:05 CET 2018

On Mar 10, 2018, at 1:13 AM, Jibin Han via Freeradius-Users <freeradius-users at> wrote:
> I am using freeradius v2.1.12

  You should really use 2.2.10 at least.

> on Ubuntu 16.04, I need to configure it so that it will authenticate the incoming RADIUS messages based on their Vendor Specific Attributes. I looked over, it is not clear how to do that, hence ask people in this group.
> Here are the details -
>  1.  We have an in-house developed RADIUS client software which creates a RADIUS access request message and sends to freeradius server.
>  2.  The configuration of freeradius server is ready: when the client message has the right user/password, we can receive accept message; otherwise reject message. The authentication is PAP.
>  3.  Now we insert VSA attribute: the code is 26, the vendor id is our vendor's ID and the custom name and value.
>  4.  Our goal is, make freeradius server authenticate not only user/password, but also this VSA - when an invalid name/value are put into VSA, freeradius sends reject message.

  You don't "authenticate" the VSA.  You just check it's value.

> I check out dictionary, but that seems just some name mapping, I do not think it authenticate attributes.

  The dictionary defines attributes.  The configuration files tell the server how to process packets.

> Could you point me the direction how this could be done and preferably with some examples?

  How about giving *us* some examples?  What do these attributes look like?  What do you want to compare them with?

  Hint: debug output is infinitely better than vague descriptions.

> I can upgrade to freeradius v3 if it is required.

  You can probably do it in v2.  You jut need to *describe* what you want to do.

 Alan DeKok.

More information about the Freeradius-Users mailing list