Unlang – the unlanguage
FreeRADIUS supports a simple processing language called Unlang (short for unlanguage). This allows us to make rules that add additional controls to the RADIUS authentication flow and final decision.
Unlang syntax is generally found in the virtual server files—in our case, that would be /etc/freeradius/3.0/sites-enabled/default, and can be in the sections titled authorize, authenticate, post-auth, preacct, accounting, pre-proxy, post-proxy, and session.
In most common deploys, we might look for an incoming RADIUS variable or AV pair—for instance, Service-Type, which might be Administrative or Authenticate-Only, and in the Unlang code, match that up with a check against group membership—for instance, network admins, VPN users, or wireless users.
For the simple case of the two firewall login requirements (VPN-Only or Administrative access), you might have a rule like this:
if(&NAS-IP-Address == "192.168.122.20"...
