How to configure freeradius server to authenticate VSA attribute

Jibin Han J.Han at
Mon Mar 12 01:38:26 CET 2018

Thanks for the reply.

Here are some examples of our VSA attributes:

              Type        Length      Vendor-Id      Vendor-type    Vendor-length    Value
Attr1       26         <length>       3456                 100                    <len>                 foo
Attr2       26         <length>       3456                 200                    <len>                 bar

The goal is we can configure Freeradius server so that in addition to user/password check:
- server reads all the VSA;
- for any VSA whose Vendor-Id is 3456,
- when Vendor-type is "100", the value must be "foo"; "200", "bar".
- If all above checks are good, sends back accept message; otherwise reject message.

Our RADIUS client inserts the above to the access request message, currently freeradius debug output does not mention these attributes. I need to somehow configure the server and hence ask the question.

I am also updating the system to use later version freeradius.

-----Original Message-----
From: Alan DeKok <aland at> 
Sent: Saturday, March 10, 2018 3:50 AM
To: Jibin Han <J.Han at>; FreeRadius users mailing list <freeradius-users at>
Subject: Re: How to configure freeradius server to authenticate VSA attribute


On Mar 10, 2018, at 1:13 AM, Jibin Han via Freeradius-Users <freeradius-users at> wrote:
> I am using freeradius v2.1.12

  You should really use 2.2.10 at least.

> on Ubuntu 16.04, I need to configure it so that it will authenticate the incoming RADIUS messages based on their Vendor Specific Attributes. I looked over, it is not clear how to do that, hence ask people in this group.
> Here are the details -
>  1.  We have an in-house developed RADIUS client software which creates a RADIUS access request message and sends to freeradius server.
>  2.  The configuration of freeradius server is ready: when the client message has the right user/password, we can receive accept message; otherwise reject message. The authentication is PAP.
>  3.  Now we insert VSA attribute: the code is 26, the vendor id is our vendor's ID and the custom name and value.
>  4.  Our goal is, make freeradius server authenticate not only user/password, but also this VSA - when an invalid name/value are put into VSA, freeradius sends reject message.

  You don't "authenticate" the VSA.  You just check it's value.

> I check out dictionary, but that seems just some name mapping, I do not think it authenticate attributes.

  The dictionary defines attributes.  The configuration files tell the server how to process packets.

> Could you point me the direction how this could be done and preferably with some examples?

  How about giving *us* some examples?  What do these attributes look like?  What do you want to compare them with?

  Hint: debug output is infinitely better than vague descriptions.

> I can upgrade to freeradius v3 if it is required.

  You can probably do it in v2.  You jut need to *describe* what you want to do.

 Alan DeKok.

More information about the Freeradius-Users mailing list