How can I give a FreeRadius User only access to ONE CP in Multi CP Setup?

  • Hi folks,

    I got 2 networks and give every segement an own CP.
    Also I installed and created a user 'a' and 'b' in FreeRadius.
    Everything works fine so far.

    The issue I can't solve is that user 'b' should only use the 2. network
    But the user 'a' and 'b' can log in CP @ any network.
    There is no way (I found) to tell user 'b' can only use the 2. network.

    Someone can give me a hint? Link?
    Or did I found a bug?
    I didn't found a szenario like this somewhere.


  • Hi,

    didn't test that myself but I think it could be done with some additional attributes freeradius should check:

    When user "b" should be allowed to only connect from CP2 - which has IP address - then you should add this as a "check-item" on this user:

    NAS-IP-Address ==

    So if the authentication request comes from CP2 which has IP address then the check is true and the user "b" can access. If the user tries to authenticate from a different CP with different IP address of the CP the user "b" cannot connect.

    Users who should be able to connect from both CP should not have this additional check-item.

    If you have users which should be able to authenticate from different IP-Addresses then this link could be helpful:

    Check the operator  =~

    Hope this will help you!

    Hallo Nachtfalke,

    Du hast mich gerettet!  ;D

    THNX for hitting me into the right direction.
    I found a BUG in pf-sense too.

    If a user is only accepted in one CP,  u should use: NAS-IP-Address ==
    If a user is accepted in different CPs, u should use: NAS-IP-Address =~ " |"

    The solution:

    Look to Attachment pics.

    IMPORTANT: If you need to use a REGEXP for more than one network, you HAVE to go to console and correct the users file manually!

    in pfsense it looks like:                          NAS-IP-Address =~ " |"
    but saved in file after you pressed save:  NAS-IP-Address =~ ""

    The | is missing in the REGEXP.

    Than you should go to console and correct the file entry manually:

    vi /usr/pbi/freeradius-amd64/etc/raddb/users

    "penthouse" MD5-Password := "098f6bcd4621d373cade4e832627b4f6", NAS-IP-Address =~ "**|**"

    After that u restart the radius service and everything is fine. :)

    Hope this helps other people too.

  • It's not a bug - it's a feature ;-)

    This problem is not pfsense related, it is package related. Like the explanation below the text box says the vertical bar is for making a new line. If you do not need this in your environment for CHECK-ITEM then just modify


    beginning on line 455 till 484

    Replace the following:


    with something else you want like:




    Then you should be able to make all changes from GUI - because if you do any change on the GUI on any user the complete users file will be re-written and if you have 100 users you need to modify this using vi 100 times.

    Viel Erfolg :-)

  • Wow,


    That is certainly correct, NOT a pfsense Bug. :)
    Really much thanks to share the information for the package programming.

    Nice weekend.


Log in to reply