Authentication dependend on NAS-IP-address

Hi everyone,

we are using two different NAS: NAS-A and NAS-B. The NAS use Radius to query privacyidea and send their addresses in the NAS-IP-Address field.

User-Group-1 should be allowed to connect to both NAS, User-Group-2 should only be allowed to connect to NAS-A.

Does the freeradius-plugin pass the NAS-IP-Address to privacyidea? Can privacyidea process the authentication / authorization decision based on this scenario. Which kind of policy would I have to configure?

Thanks a lot and best wishes


Hi Michael,


Hm, I am not sure. This would take a few minutes of thinking.
All policies can be configured based on the client IP.

You need to configure privacyIDEA system settings to allow freeradius to “override authorization client”. Take a look in the online documentation for these key words.


Hi Cornelius,

thank you, I found the first part (override). Next I’ll have to figure out authentication policies for different realms, right?

Best wishes


Oh man. I don’t think this forum is for bootstrapping your complete configuration. Either you figure it out by reading the documentation or get some consultancy.
I personally dislike people running a Cisco ASA out of support and asking 20 questions to get a step by step setup. (But everyone is allowed to ask anything - it simply depends on who and when will answer).

You are asking for a rather specific configuration. You can probably set this up, but don’t ask me who. :wink:
It would take me more than two minutes to think about, and I do not tend to answer quastions that need more thinking than one minute :wink: