Multiple radius clients from one IP

Alan DeKok aland at
Thu Jan 9 14:34:24 CET 2020

On Jan 9, 2020, at 7:57 AM, Xander Lammertink <jooppy92 at> wrote:
> I was working on setting up FreeRADIUS, however I came across the following problem:
> I'd like to have the clients of my access point with multiple SSIDs to authenticate using radius.
> The way I tried to set this up was by creating multiple clients each having their own secret and refer to a virtual server.
> Based on the radius client, the preferred virtual server would be chosen that would select the desired authentication mechanism.

  Based on *what part* of the RADIUS client?  How does the server know which packet comes from which client?

> However, when I create two clients with the same "ipaddr" (which is the case for my access point), I get the following error:
> freeradius[1234]: Failed to add duplicate client client_name

  Yes.  RADIUS clients are distinguished by source IP address.  That's how RADIUS works.

> When reading the link below I see it's possible to use my approach, except the ipaddr thing is making stuff difficult.

  No, that page does *not* said it's possible to use your approach.  it says each client can use it's own virtual server.  It does *not* say that you can list the same IP address for multiple clients.

> So is there a way to have multiple clients authenticate from the same IP address (each referring to another virtual server) without listing on multiple tcp/udp ports?

  No.  RADIUS doesn't work like that.

  Think of it this way: how does the RADIUS server tell that the packet is from client 1 versus from client 2?  What part of the configuration you edited allows the server to make that distinction?

  i.e. what piece of information lets the server tell the two packets apart?

  The answer is "nothing".  Therefore, what you're doing won't work.

  Have the server listen on multiple ports, and configure different clients to use different ports.

  Alan DeKok.

More information about the Freeradius-Users mailing list