NAS Realm entry not used when authenticating/ huntgroup issues

[matt Penner]

Realized I posted on general discussion when this should instead be on the help forum:

I have my radiusdesk setup using NAS subnets (i.e. westOffice 192.168.1.0/24) for login authentication.
I have a few realms, with users delegated realms depending where they are.

I would like it so that only users in westOffice can log in to the westOffice NAS entry, so what I did was instead of "all realms" I set the 192.168.1.0/24 NAS entry's realm to be "West Office"

I have two users, "user1" has their realm set to "West Office" and "user2" has their realm set to "East Office"

How I would expect this to work is that user1 could login to 192.168.1.0/24 and user2 would be unable to log in to that NAS subnet, but what I see instead is that NAS is completely ignored when logging in to the devices.

Radiusd -X shows that my realm on each user is properly set, logging my sql queries shows that the queries contain my proper NAS, and yet I am allowed to log in to any device.

I even tested setting up an entirely new realm called "Test Realm", and setting NAS 192.168.1.0/24 to only "Test Realm", however both user1 and user2 were still able to login even with different realms.

Is the realm only meant for accounting? I would like to use it as a method of separating where users are able to log in.

Also - just a note but I did restart my freeradius server every time I made changes to NAS or realms, but that did not resolve the issue.

[matt Penner]

[Bernie137]

Hello,

I think it is the same problem in my environment, version 2022-B.
It is not possible to prohibit logins from NAS if this realm is not allowed on this NAS.

Mayby is it a solution for you to make a difference between SSID West Office and SSID East Office...? But it would be easier to have a difference beetween the realms. Realms are there to delimit access from different companies or departments, for example. Exact what you mean but it does not work.

Bernie