Assigning and checking against local attribute

Ara Varter aravv at
Tue Nov 9 23:48:45 CET 2021

   I would like specific users to be authorized against specific NAS IP
   addresses (using FreeRADIUS 3.0.13).  For example, user "user1" should
   only be authenticated it the NAS-IP-Address is one of a set of IP

   First, a new local attribute called "My-NAS-Group" was created in the
   /etc/raddb/dictionary file as a string.

   Next, the /etc/raddb/mods-available/passwd file, there is a pointer to
   the file 'test-groups.txt'.

     passwd poc_groups {
             filename = /etc/raddb/test-groups.txt
             format = "*NAS-IP-Address:~My-NAS-Group"
             hash_size = 300
             ignore_nislike = no
             allow_multiple_keys = no

   The test-groups.txt file contains a mapping of IP address to a group
   name.  Based on the 'format' above, the idea is to assign the group
   name to the local attribute 'My-NAS-Group'.

     [root at server raddb]# more test-groups.txt

   Finally, I would like to use the 'My-NAS-Group' as a match criteria for
   the user authentication.  For example, in the 'users' file:

     user1   Cleartext-Password := "hello", My-NAS-Group == "g1"
                 Service-Type = Login-User

   In the /etc/raddb/sites-available/default file, the only change that
   has been made is to enable 'unix' authentication.  This is for
   authenticating using the local linux server accounts, however this is
   separate from what I'm trying to do here.  In other words, there is no
   local system account for user "user1".

   From the debug output there is no reference to "My-NAS-Group" and the
   authentication fails.  The authentication works if the "My-NAS-Group"
   is removed.

   What additional configuration is needed in freeradius for the local
   attribute "My-NAS-Group" to be used as a match criteria in the 'users'


More information about the Freeradius-Users mailing list