post-auth language for two requirements

Alan DeKok aland at
Thu Apr 29 22:43:13 CEST 2021

On Apr 29, 2021, at 4:33 PM, Jessica Cohen <Jessica.Cohen at> wrote:
> I am trying to configure post-auth to require both the NAS-IP-address and a script. I don't think AND works in post-auth. At least that's my guess because it's keeps failing. That or my syntax is incorrect. Looking for suggestions or alternatives. Thanks!
> Example:
> #  Post-Authentication
> #  Once we KNOW that the user has been authenticated, there are
> #  additional steps we can take.
> post-auth {
> if (%{NAS-IP-Address} = AND (`/bin/sh /etc/doscripts/ %{User-Name}` =~ /foo-admin/) {

  I'm not sure where you got that syntax from.    See "man unlang" for what is allowed.  There's nothing which says that an uppercase "AND" can be used.

  What you want here is:

	if ((NAS-IP-Address == && (`/etc/doscripts/ %{User-Name}` =~ /foo-admin) {

  Alan DeKok.

More information about the Freeradius-Users mailing list