Newbie questions for freeradius

Root, Paul T Paul.Root at
Wed Jul 3 15:59:50 CEST 2019

Ah, that was it for the first one. I moved users out of the way and made my own, so it would be simple.

The users was actually a symbolic link to ./mod-config/files/authorize.

Thanks for the response.


-----Original Message-----
From: Freeradius-Users < at> On Behalf Of Alan DeKok
Sent: Wednesday, July 03, 2019 1:41 AM
To: FreeRadius users mailing list <freeradius-users at>
Subject: Re: Newbie questions for freeradius

On Jul 2, 2019, at 11:24 PM, Root, Paul T <Paul.Root at> wrote:
> I am looking into using freeradius  here for multiple client setups and I'm learning as I go.
> My configuration is CentOS 7, and freeradius  3.0.13  - straight from the CentOS repos.
> I have 2 different setups, one using the normal flat files, and one using mysql.
> So my first problem. The flat file machine. It rejects every request. And I have just the most basic example from the FreeRadius Beginners Guide. That is actually written for FreeRadius 2.0 , it could be a problem.

  You're editing file A.  The server is reading file B.

  Read the debug output to see what he "files" module is doing.  It will print out the name of the file it's reading.  Then, edit that file.

> The mysql instance is working better, following directions from daloradius, I've got it working for users that aren't in User-groups. With various clients:
> radtest locally
> radtest on a second system
> NTRadPing from a windows 10 box
> From a Cisco switch with AAA authentication.
> What I need though, is to authenticate from a cisco (and probably other vendors) machines to a group. There will be groups of NASes that need to authenticate to specific groups inside radius. And maybe multiple groups  (one group and users that aren't in a group would probably be acceptable).
> Does that make sense?    I don't understand the difference in daloradius between "User-Groups", "Profiles", "HuntGroups", and "Realms".

  Huntgroups are historically groups of NASes or lines for telephone numbers.  Realm are domain names.  Ignore the rest.

  FreeRADIUS uses databases for group membership.  You can create a custom file-based group list with the "passwd" module.  See mods-available/etc_group for an example.

  You can change the attribute name from "Etc-Group-Name"  to "NAS-Group",  and then point the "filename" to a local file that you create.  e.g.

passwd nas_group {
        filename = ${confdir}/nas_group
        format = "=NAS-Group-Name:::*,NAS-IP-Address"
        hash_size = 50
        ignore_nislike = yes
        allow_multiple_keys = yes
        delimiter = ":"

  Also add "NAS-Group-Name" to the dictionary, too.

  Then create a "nas_group" file in the configuration directory.  Use the same format as /etc/groups, but use IP addresses instead of names.

  Then add it to the "authorize" section:

authorize {


  And after the "nas_group" module runs, you can do things like:

        if (NAS-Group == "named-group") {
                ... stuff ...

  and it will match.  You can do the same with other modules / files / attributed.

  Alan DeKok.

List info/subscribe/unsubscribe? See
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.

More information about the Freeradius-Users mailing list