filter a policy by requesting client

mengainside · May 4, 2026, 8:49am

Hi,
I’ve been testing PrivacyIdea for OTP on Fortigate and RDP for a few days.
I initially configured the policies for Fortigate correctly, and everything worked fine by activating the authentication policy “challenge_response”=totp and “otppin”=userstore.

To get OTP (TOTP) to work over RDP, however, I need to exclude the authentication policy set for Fortigate.

I thought it would be enough to enter the IP address used by Fortigate in the “client” field of the authentication policy, but it seems like the match isn’t being made when I try to authenticate on the firewall.

This is the FreeRadius log with firewall authentication without any value in the “client” field of the PI authentication policy (so login was successful).

Mon May 4 10:10:15 2026 : Info: rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
Mon May 4 10:10:15 2026 : Info: rlm_perl: Debugging config: false
Mon May 4 10:10:15 2026 : Info: rlm_perl: Verifying SSL certificate: false
Mon May 4 10:10:15 2026 : Info: rlm_perl: Default URL https://localhost/validate/check
Mon May 4 10:10:15 2026 : Info: rlm_perl: Looking for config for auth-type Perl
Mon May 4 10:10:15 2026 : Info: rlm_perl: Password encoding guessed: ascii
Mon May 4 10:10:15 2026 : Info: rlm_perl: Username encoding guessed: ascii
Mon May 4 10:10:15 2026 : Info: rlm_perl: Setting client IP to 192.168.1.100.
Mon May 4 10:10:15 2026 : Info: rlm_perl: Auth-Type: Perl
Mon May 4 10:10:15 2026 : Info: rlm_perl: url: https://localhost/validate/check
Mon May 4 10:10:15 2026 : Info: rlm_perl: user sent to privacyidea: user.ldap
Mon May 4 10:10:15 2026 : Info: rlm_perl: realm sent to privacyidea:
Mon May 4 10:10:15 2026 : Info: rlm_perl: resolver sent to privacyidea:
Mon May 4 10:10:15 2026 : Info: rlm_perl: client sent to privacyidea: 192.168.1.100
Mon May 4 10:10:15 2026 : Info: rlm_perl: state sent to privacyidea:
Mon May 4 10:10:15 2026 : Info: rlm_perl: urlparam pass
Mon May 4 10:10:15 2026 : Info: rlm_perl: urlparam client
Mon May 4 10:10:15 2026 : Info: rlm_perl: urlparam user
Mon May 4 10:10:15 2026 : Info: rlm_perl: Request timeout: 10
Mon May 4 10:10:15 2026 : Info: rlm_perl: Not verifying SSL certificate!
Mon May 4 10:10:16 2026 : Info: rlm_perl: elapsed time for privacyidea call: 0.447964
Mon May 4 10:10:16 2026 : Info: rlm_perl: privacyIDEA Result status is true!
Mon May 4 10:10:16 2026 : Info: rlm_perl: ++++ Parsing group: Attribute
Mon May 4 10:10:16 2026 : Info: rlm_perl: +++++ Found member ‘Attribute Filter-Id’
Mon May 4 10:10:16 2026 : Info: rlm_perl: ++++++ Attribute: IF ‘user’->‘groups’ == ‘CN=(.?),OU=FWGruop,OU=Groups,DC=domain,DC=local’ THEN ‘Filter-Id’
Mon May 4 10:10:16 2026 : Info: rlm_perl: ++++++ searching in directory user
Mon May 4 10:10:16 2026 : Info: rlm_perl: +++++++ User attribute is a string:
Mon May 4 10:10:16 2026 : Info: rlm_perl: +++++++ trying to match
Mon May 4 10:10:16 2026 : Info: rlm_perl: ++++++++ Result: No match, no RADIUS attribute Filter-Id added.
Mon May 4 10:10:16 2026 : Info: rlm_perl: +++++ Found member ‘Attribute otherAttribute’
Mon May 4 10:10:16 2026 : Info: rlm_perl: ++++++ Attribute: IF ‘’->‘’ == ‘’ THEN ‘otherAttribute’
Mon May 4 10:10:16 2026 : Info: rlm_perl: ++++++ no directory
Mon May 4 10:10:16 2026 : Info: rlm_perl: +++++++ User attribute is a string:
Mon May 4 10:10:16 2026 : Info: rlm_perl: +++++++ trying to match
Mon May 4 10:10:16 2026 : Info: rlm_perl: ++++++++ Result: No match, no RADIUS attribute otherAttribute added.
Mon May 4 10:10:16 2026 : Info: rlm_perl: +++++ Found member ‘Attribute Class’
Mon May 4 10:10:16 2026 : Info: rlm_perl: ++++++ Attribute: IF ‘’->‘’ == ‘’ THEN ‘Class’
Mon May 4 10:10:16 2026 : Info: rlm_perl: ++++++ no directory
Mon May 4 10:10:16 2026 : Info: rlm_perl: +++++++ User attribute is a string:
Mon May 4 10:10:16 2026 : Info: rlm_perl: +++++++ trying to match
Mon May 4 10:10:16 2026 : Info: rlm_perl: ++++++++ Result: No match, no RADIUS attribute Class added.
Mon May 4 10:10:16 2026 : Info: rlm_perl: +++++ Found member ‘Attribute Fortinet-Group-Name’
Mon May 4 10:10:16 2026 : Info: rlm_perl: ++++++ Attribute: IF ‘user’->‘groups’ == 'CN=(\w),OU=FWGruop,OU=Groups,DC=domain,DC=local’ THEN ‘Fortinet-Group-Name’
Mon May 4 10:10:16 2026 : Info: rlm_perl: ++++++ searching in directory user
Mon May 4 10:10:16 2026 : Info: rlm_perl: +++++++ User attribute is a string:
Mon May 4 10:10:16 2026 : Info: rlm_perl: +++++++ trying to match
Mon May 4 10:10:16 2026 : Info: rlm_perl: ++++++++ Result: No match, no RADIUS attribute Fortinet-Group-Name added.
Mon May 4 10:10:16 2026 : Info: rlm_perl: ++++ Parsing group: Mapping
Mon May 4 10:10:16 2026 : Info: rlm_perl: +++++ Found member ‘Mapping user’
Mon May 4 10:10:16 2026 : Info: rlm_perl: return RLM_MODULE_HANDLED
Mon May 4 10:10:26 2026 : Info: rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
Mon May 4 10:10:26 2026 : Info: rlm_perl: Debugging config: false
Mon May 4 10:10:26 2026 : Info: rlm_perl: Verifying SSL certificate: false
Mon May 4 10:10:26 2026 : Info: rlm_perl: Default URL https://localhost/validate/check
Mon May 4 10:10:26 2026 : Info: rlm_perl: Looking for config for auth-type Perl
Mon May 4 10:10:26 2026 : Info: rlm_perl: Password encoding guessed: ascii
Mon May 4 10:10:26 2026 : Info: rlm_perl: Username encoding guessed: ascii
Mon May 4 10:10:26 2026 : Info: rlm_perl: Setting client IP to 192.168.1.100.
Mon May 4 10:10:26 2026 : Info: rlm_perl: Auth-Type: Perl
Mon May 4 10:10:26 2026 : Info: rlm_perl: url: https://localhost/validate/check
Mon May 4 10:10:26 2026 : Info: rlm_perl: user sent to privacyidea: user.ldap
Mon May 4 10:10:26 2026 : Info: rlm_perl: realm sent to privacyidea:
Mon May 4 10:10:26 2026 : Info: rlm_perl: resolver sent to privacyidea:
Mon May 4 10:10:26 2026 : Info: rlm_perl: client sent to privacyidea: 192.168.1.100
Mon May 4 10:10:26 2026 : Info: rlm_perl: state sent to privacyidea: 17353040191077299046
Mon May 4 10:10:26 2026 : Info: rlm_perl: urlparam pass
Mon May 4 10:10:26 2026 : Info: rlm_perl: urlparam client
Mon May 4 10:10:26 2026 : Info: rlm_perl: urlparam user
Mon May 4 10:10:26 2026 : Info: rlm_perl: urlparam state
Mon May 4 10:10:26 2026 : Info: rlm_perl: Request timeout: 10
Mon May 4 10:10:26 2026 : Info: rlm_perl: Not verifying SSL certificate!
Mon May 4 10:10:26 2026 : Info: rlm_perl: elapsed time for privacyidea call: 0.461763
Mon May 4 10:10:26 2026 : Info: rlm_perl: privacyIDEA access granted for user.ldap realm=‘’
Mon May 4 10:10:26 2026 : Info: rlm_perl: ++++ Parsing group: Attribute
Mon May 4 10:10:26 2026 : Info: rlm_perl: +++++ Found member ‘Attribute Filter-Id’
Mon May 4 10:10:26 2026 : Info: rlm_perl: ++++++ Attribute: IF ‘user’->‘groups’ == ‘CN=(.?),OU=FWGruop,OU=Groups,DC=domain,DC=local’ THEN ‘Filter-Id’
Mon May 4 10:10:26 2026 : Info: rlm_perl: ++++++ searching in directory user
Mon May 4 10:10:26 2026 : Info: rlm_perl: +++++++ User attribute is a list: ARRAY(0x7b634c39a808)
Mon May 4 10:10:26 2026 : Info: rlm_perl: +++++++ trying to match CN=grp_test_vpn_fw,OU=FWGruop,OU=Groups,DC=domain,DC=local
Mon May 4 10:10:26 2026 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Filter-Id = grp_test_vpn_fw
Mon May 4 10:10:26 2026 : Info: rlm_perl: +++++++ trying to match CN=grp_test_admin_fw,OU=FWGruop,OU=Groups,DC=domain,DC=local
Mon May 4 10:10:26 2026 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Filter-Id = grp_test_admin_fw
Mon May 4 10:10:26 2026 : Info: rlm_perl: +++++ Found member ‘Attribute otherAttribute’
Mon May 4 10:10:26 2026 : Info: rlm_perl: ++++++ Attribute: IF ‘’->‘’ == ‘’ THEN ‘otherAttribute’
Mon May 4 10:10:26 2026 : Info: rlm_perl: ++++++ no directory
Mon May 4 10:10:26 2026 : Info: rlm_perl: +++++++ User attribute is a string:
Mon May 4 10:10:26 2026 : Info: rlm_perl: +++++++ trying to match
Mon May 4 10:10:26 2026 : Info: rlm_perl: ++++++++ Result: No match, no RADIUS attribute otherAttribute added.
Mon May 4 10:10:26 2026 : Info: rlm_perl: +++++ Found member ‘Attribute Class’
Mon May 4 10:10:26 2026 : Info: rlm_perl: ++++++ Attribute: IF ‘’->‘’ == ‘’ THEN ‘Class’
Mon May 4 10:10:26 2026 : Info: rlm_perl: ++++++ no directory
Mon May 4 10:10:26 2026 : Info: rlm_perl: +++++++ User attribute is a string:
Mon May 4 10:10:26 2026 : Info: rlm_perl: +++++++ trying to match
Mon May 4 10:10:26 2026 : Info: rlm_perl: ++++++++ Result: No match, no RADIUS attribute Class added.
Mon May 4 10:10:26 2026 : Info: rlm_perl: +++++ Found member ‘Attribute Fortinet-Group-Name’
Mon May 4 10:10:26 2026 : Info: rlm_perl: ++++++ Attribute: IF ‘user’->‘groups’ == 'CN=(\w),OU=FWGruop,OU=Groups,DC=domain,DC=local’ THEN ‘Fortinet-Group-Name’
Mon May 4 10:10:26 2026 : Info: rlm_perl: ++++++ searching in directory user
Mon May 4 10:10:26 2026 : Info: rlm_perl: +++++++ User attribute is a list: ARRAY(0x7b634c39a808)
Mon May 4 10:10:26 2026 : Info: rlm_perl: +++++++ trying to match CN=grp_test_vpn_fw,OU=FWGruop,OU=Groups,DC=domain,DC=local
Mon May 4 10:10:26 2026 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = grp_test_vpn_fw
Mon May 4 10:10:26 2026 : Info: rlm_perl: +++++++ trying to match CN=grp_test_admin_fw,OU=FWGruop,OU=Groups,DC=domain,DC=local
Mon May 4 10:10:26 2026 : Info: rlm_perl: ++++++++ Result: Add RADIUS attribute Fortinet-Group-Name = grp_test_admin_fw
Mon May 4 10:10:26 2026 : Info: rlm_perl: ++++ Parsing group: Mapping
Mon May 4 10:10:26 2026 : Info: rlm_perl: +++++ Found member ‘Mapping user’
Mon May 4 10:10:26 2026 : Info: rlm_perl: return RLM_MODULE_OK
##########################

This is the FreeRadius log if I enter the IP address 192.168.1.100 or even 192.168.1.100/32 in the client field of the policy (no value in privacyIDEA Nodes, Valid Time, User Agent )

Mon May 4 09:49:00 2026 : Info: rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
Mon May 4 09:49:00 2026 : Info: rlm_perl: Debugging config: false
Mon May 4 09:49:00 2026 : Info: rlm_perl: Verifying SSL certificate: false
Mon May 4 09:49:00 2026 : Info: rlm_perl: Default URL https://localhost/validate/check
Mon May 4 09:49:00 2026 : Info: rlm_perl: Looking for config for auth-type Perl
Mon May 4 09:49:00 2026 : Info: rlm_perl: Username encoding guessed: ascii
Mon May 4 09:49:00 2026 : Info: rlm_perl: Setting client IP to 192.168.1.100.
Mon May 4 09:49:00 2026 : Info: rlm_perl: Auth-Type: Perl
Mon May 4 09:49:00 2026 : Info: rlm_perl: url: https://localhost/validate/check
Mon May 4 09:49:00 2026 : Info: rlm_perl: user sent to privacyidea: aaautente.ldap
Mon May 4 09:49:00 2026 : Info: rlm_perl: realm sent to privacyidea:
Mon May 4 09:49:00 2026 : Info: rlm_perl: resolver sent to privacyidea:
Mon May 4 09:49:00 2026 : Info: rlm_perl: client sent to privacyidea: 192.168.1.100
Mon May 4 09:49:00 2026 : Info: rlm_perl: state sent to privacyidea:
Mon May 4 09:49:00 2026 : Info: rlm_perl: urlparam pass
Mon May 4 09:49:00 2026 : Info: rlm_perl: urlparam client
Mon May 4 09:49:00 2026 : Info: rlm_perl: urlparam user
Mon May 4 09:49:00 2026 : Info: rlm_perl: Request timeout: 10
Mon May 4 09:49:00 2026 : Info: rlm_perl: Not verifying SSL certificate!
Mon May 4 09:49:00 2026 : Info: rlm_perl: elapsed time for privacyidea call: 0.225898
Mon May 4 09:49:01 2026 : Info: rlm_perl: privacyIDEA Result status is true!
Mon May 4 09:49:01 2026 : Info: rlm_perl: privacyIDEA access denied for user.ldap realm=‘’
Mon May 4 09:49:01 2026 : Info: rlm_perl: return RLM_MODULE_REJECT
Mon May 4 09:49:02 2026 : Info: rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
Mon May 4 09:49:02 2026 : Info: rlm_perl: Debugging config: false
Mon May 4 09:49:02 2026 : Info: rlm_perl: Verifying SSL certificate: false
Mon May 4 09:49:02 2026 : Info: rlm_perl: Default URL https://localhost/validate/check
Mon May 4 09:49:02 2026 : Info: rlm_perl: Looking for config for auth-type Perl
Mon May 4 09:49:02 2026 : Info: rlm_perl: Username encoding guessed: ascii
Mon May 4 09:49:02 2026 : Info: rlm_perl: Setting client IP to 192.168.1.100.
Mon May 4 09:49:02 2026 : Info: rlm_perl: Auth-Type: Perl
Mon May 4 09:49:02 2026 : Info: rlm_perl: url: https://localhost/validate/check
Mon May 4 09:49:02 2026 : Info: rlm_perl: user sent to privacyidea: user.ldap
Mon May 4 09:49:02 2026 : Info: rlm_perl: realm sent to privacyidea:
Mon May 4 09:49:02 2026 : Info: rlm_perl: resolver sent to privacyidea:
Mon May 4 09:49:02 2026 : Info: rlm_perl: client sent to privacyidea: 192.1686.1.100
Mon May 4 09:49:02 2026 : Info: rlm_perl: state sent to privacyidea:
Mon May 4 09:49:02 2026 : Info: rlm_perl: urlparam pass
Mon May 4 09:49:02 2026 : Info: rlm_perl: urlparam client
Mon May 4 09:49:02 2026 : Info: rlm_perl: urlparam user
Mon May 4 09:49:02 2026 : Info: rlm_perl: Request timeout: 10
Mon May 4 09:49:02 2026 : Info: rlm_perl: Not verifying SSL certificate!
Mon May 4 09:49:02 2026 : Info: rlm_perl: elapsed time for privacyidea call: 0.270495
Mon May 4 09:49:02 2026 : Info: rlm_perl: privacyIDEA Result status is true!
Mon May 4 09:49:02 2026 : Info: rlm_perl: privacyIDEA access denied for user.ldap realm=‘’
Mon May 4 09:49:02 2026 : Info: rlm_perl: return RLM_MODULE_REJECT

Where am I going wrong?
Thanks to anyone who wants to help me

mengainside · May 4, 2026, 8:52am

if it was useful to others (even if maybe the reason is so trivial that it’s why I didn’t find any other questions on the forum)… the policy client is the one that calls PI… so the radius client, so 127.0.0.1 in my case