Ladies and Gentlemen,
we are very happy with our evaluation of privacyIDEA so far: we have a local FreeRADIUS server installed on the privacyIDEA system, were able to import LDAP users and Google-Authenticator seeds so it can now work as a “drop-in” replacement for our previous RADIUS setup.
We can see entries in the audit log about successful logins using POST /validate/check with the TOTP tokens (providing the respective serial numbers and policies) - nice! However, the client information is (here) not very interesting (it is the local RADIUS server) - it would be desirable to see which of our servers wants to authenticate a specific users (several of our services use RADIUS for authentication). Should we use individual policies and identify access this way and how (we currently only have one policy for authentication with OTP; the client parameter in the policy is not useful, as this is always the localhost here)?
Many thanks in advance.
Best regards,
Stefan
You should read all 600 pages of the documentation 
Then you will stumble upon this one:
https://privacyidea.readthedocs.io/en/latest/configuration/system_config.html#override-authorization-client
The authentication request originiates from the FreeRADIUS Server and the plugin.
This is why you see the IP of this server.
However, you can allow this IP address to overwrite this information and pass the IP of the RADIUS client.
Excellent - thank you!
We are using FreeRADIUS on our privacyIDEA server with the privacyidea-radius package.
[The Setup subsection in the RADIUS plugin section of the documentation should be updated: the file to change is /etc/freeradius/3.0/mods-enabled/perl and instead of module = /usr/share/privacyidea/freeradius/privacyidea_radius.pm the syntax is now filename = /usr/share/privacyidea/freeradius/privacyidea_radius.pm, I believe]
However, it does not yet work and it seems we have overlooked something:
(1) The documentation says that “The NAS-IP-Address is sent as the client parameter to the privacyIDEA server.” - so this is apparently already taken care of when using the original Perl plugin without additional configuration?
(2) We have a policy (Priority 1) for a specific service, zerberus, where client is that service’s IP from which the privacyIDEA local RADIUS server is contacted.
(3) In the privacyIDEA system config, we have entered 127.0.0.1 (the IP of the local RADIUS server) in the Override Authorization Clients field.
We have another policy (Priority 2) without a specific client (but also otppin: userstore) and, it seems, that is being used even if requests originate from the zerberus system (and we would have expected to see the zerberus policy instead). What are we missing?
Many thanks in advance!