Assigning and checking against local attribute

Alan DeKok aland at
Wed Nov 10 00:45:50 CET 2021

On Nov 9, 2021, at 5:48 PM, Ara Varter <aravv at> wrote:
>   I would like specific users to be authorized against specific NAS IP
>   addresses (using FreeRADIUS 3.0.13).

  It's best to use 3.0.25.  Packages are available at,

>  For example, user "user1" should
>   only be authenticated it the NAS-IP-Address is one of a set of IP
>   addresses.
>   First, a new local attribute called "My-NAS-Group" was created in the
>   /etc/raddb/dictionary file as a string.

  OK, that's good.

>   Next, the /etc/raddb/mods-available/passwd file, there is a pointer to
>   the file 'test-groups.txt'.
>     passwd poc_groups {
>             filename = /etc/raddb/test-groups.txt
>             format = "*NAS-IP-Address:~My-NAS-Group"

  You have that inverted.  See mods-available/etc_group.  If it's not in 3.0.13, you can upgrade.  But here's a snippet:

passwd etc_group {
	filename = /etc/group
	format = "=Etc-Group-Name:::*,User-Name"

  That defines Etc-Group-Name if one of the User-Names match.  You can do something similar.  Change User-Name to NAS-IP-Address, etc.  And then list multiple (comma-separated) NAS-IP-Address on one line.

>   Finally, I would like to use the 'My-NAS-Group' as a match criteria for
>   the user authentication.  For example, in the 'users' file:
>     user1   Cleartext-Password := "hello", My-NAS-Group == "g1"
>                 Service-Type = Login-User

  The My-NAS-Group attribute will only exist if the "poc_groups" file was run before the "files" module.

>   In the /etc/raddb/sites-available/default file, the only change that
>   has been made is to enable 'unix' authentication.

  i.e. you haven't listed "poc_groups" before the "files" module, which is needed for this to work.

>  This is for
>   authenticating using the local linux server accounts, however this is
>   separate from what I'm trying to do here.  In other words, there is no
>   local system account for user "user1".

  That should be OK.

>   From the debug output there is no reference to "My-NAS-Group" and the
>   authentication fails.  The authentication works if the "My-NAS-Group"
>   is removed.

  Because you never told it *when* to use the poc_groups module.

>   What additional configuration is needed in freeradius for the local
>   attribute "My-NAS-Group" to be used as a match criteria in the 'users'
>   file?

  List "poc_groups" before the "files" module in the "authorize" section.

  And edit the "format" string to use the correct group-like matching.

  Alan DeKok.

More information about the Freeradius-Users mailing list