Freeradius 3.2.0 with dynamic clients on LDAP

Alan DeKok aland at
Mon Sep 5 22:18:27 UTC 2022

On Sep 4, 2022, at 9:50 AM, Igor Sousa <igorvolt at> wrote:
> I googled it more and I found this post
> (yeah, I know this happened 8 years ago).

  The documentation is always up to date.  There's no need to google things.

> I've understood that the rlm_raw
> module is necessary to access the Called-Station-Id attribute on
> site-enabled/dynamic-clients (
> and , but you warned us to not use the rlm_raw module. I don't find this
> module in

  Because it's a third-party module which isn't supported.

> Then, is it possible to access
> NAS MAC addresses in dynamic-clients configuration in Freeradius 3.2?


  RADIUS client are always keyed off of IP addresses.  What people usually want is to key off of MAC address, and then do that on a per-packet basis.  That's just not possible.

  If you want to key off of NAS identity instead of IP address, use radsec.  (RADIUS over TLS).  That's what it's for.  You can verify the client certificate of the NAS.  In which case you don't care about its' IP address, or its MAC address.

  Alan DeKok.

More information about the Freeradius-Users mailing list