Freeradius: remove VLAN tag when request comes from specific client

I have a RADIUS server which is configured to add VLAN tags based on the LDAP groups the user is a member of. However in my situation I also need my RADIUS to authenticate users who connect to equipment in an other organization. Their organization route the authentication requests from their radius to mine and waits for a response. The problem is that the response still contains the users VLAN tag, this confuses the other organizations RADIUS server.

So here is how i stripped the VLAN tag in the response to the other organizations RADIUS servers.

In this example the radius servers ip’s are and

In your sites configuration file (/etc/freeradius/sites-enabled/inner-tunnel) place the code somewhere below where you added the VLAN tags you want to remove for request from specific RADIUS servers.

if ((Packet-Src-IP-Address == "") || (Packet-Src-IP-Address == "")) {
 Tunnel-Private-Group-Id -= "%{reply:Tunnel-Private-Group-Id}"
This entry was posted in Scripting and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *