Authentication with Vendor-Specific Attribute

Alan DeKok aland at
Tue Apr 20 12:05:20 CEST 2021

On Apr 20, 2021, at 5:57 AM, Daniel Kastner <daniel.kastner at> wrote:
> I'm totally new to this (free)Radius stuff and trying to achieve authentication based on a vendor-specific attribute send by the client.
> I've add the custom attribute in a new dictionary file /opt/share/freeradius/dictionary.myvendor:
> VENDOR MyVendor 16132
> ATTRIBUTE MyVendor -OneTimePassword 1 string

  That seems fine.  It's better to use the actual vendor name, though,

> Included it in the /opt/share/freeradius/dictionary:
> $INCLUDE dictionary.myvendor

  That will get over-written on the next install of the server.  The installation process assumes that you don't edit the default dictionaries.

  You can put the $INCLUDE into raddb/dictionary, where it will not get over-written.  The installation process assumes that you edit the files in raddb/, so it doesn't over-write them.

> And now trying the following in file /opt/etc/raddb/mods-config/files/authorize:
> bob Cleartext-Password := "hello"
>  if( &MyVendor-OneTimePassword == "123456" ) {
>    Auth-Type := Accept
>    Reply-Message := "Hello %{User-Name}, great to have you here!"
>  } else {
>    Auth-Type := Reject
>    Reply-Message := "Sorry %{User-Name}, wrong OTP"
> }

  That's not the format of the "authorize" file.  See the many other examples in that file, and "man users" documentation for it.

  You can put the "bob" line into the "authorize" file.

  The rest has to go into raddb/sites-available/default, in the "authorize" section.  There are many examples of if / then / else logic in that file.

  Alan DeKok.

More information about the Freeradius-Users mailing list