Standard & Realm Authentication

Richard J Palmer richard at
Mon Feb 1 20:42:24 CET 2021

Hello All

We have been using FreeRadius for quite a long time to authenticate 
PPPoE and L2TP sessions and hotspots. So far everything works.

However I'd like to add an extra function and wondered if you could 
provide a pointers,

Generally Users send their username - we look in SQL and return Data 
from radreply / ip pools etc. We have no problem there.

On our LNS / LAC Devices we also have a small number of sessions that 
we forward to other ISPs. With these we don't have the username - but 
forward based on realm

On our LNS We have:

 <match name="EXAMPLE-FWD"

As an alternative the LNS can get this data from Radius - and given 
the growing number of LNS devices - rather than keeping the sync up to 
date on multiple devices it makes sence to run this as part of the 

NOTE this is not a radius proxy - where we pass on the radius request 
if it's a matching realm - BUT a radius reply to the LNS telling it to 
forward the connection on to the customers LNS.

What I am trying to achieve in FreeRadius is

1) If there's an exact username (as now) continue as now
2) IF there's not a match either run a second SQL which will find the 
realm - and return accept. And then pass back the necessary attributes 
back to allow the session to forward.

Pretty happy to do most of the work here but some pointers would be 

I could I suppose do this by replacing the SQL query with a stored 
procedure - but open to any better ideas?

Thanks in advance


More information about the Freeradius-Users mailing list