multiple usergroups failing; freeradius 2.1.10 + Cisco-AVPairs
michael at jarrett.id.au
michael at jarrett.id.au
Thu Dec 16 01:33:46 CET 2010
Hi,
During a rebuild of our Radius servers from an old freeradius 1.x install to 2.1.10, we've lost ability to push multiple usergroups to our Cisco LNS:
MySQL:
radcheck:
id UserName Attribute op Value
9791 test at realm Password := {clear}somepass
radgroupreply:
id GroupName Attribute op Value
161 VRF-TEST Cisco-AVPair += ip:vrf-id=TEST
162 VRF-TEST Cisco-AVPair += ip:ip-unnumbered=loopback25
2211 QOS-PROFILE Cisco-AVPair += ip:sub-qos-policy-out=TEST-QOS-PROFILE
radreply:
id UserName Attribute op Value
124561 test at realm Framed-IP-Netmask = 255.255.255.255
124571 test at realm Framed-IP-Address = 1.1.1.1
usergroup:
UserName GroupName priority
test at realm VRF-TEST 1
test at realm QOS-PROFILE 2
debugging Radius on the Cisco shows (amongst other things):
RADIUS: Vendor, Cisco [26] 21
RADIUS: Cisco AVpair [1] 15 "ip:vrf-id=TEST"
RADIUS: Vendor, Cisco [26] 35
RADIUS: Cisco AVpair [1] 29 "ip:ip-unnumbered=loopback25"
If you set QOS-PROFILE to priority 0 for example, it will then only pick up the QOS-PROFILE usergroup, not both. Setting both usergroups to same priority yeilds the same results; only applying the first, never both.
To rule out the Cisco i've performed a tcpdump on Radius itself; I can only see freeradius sending one usergroup in the Access-Accept response.
This is also a fresh freeradius install via FreeBSD ports; no configuration was carried over from the previous install except for MySQL DB credentials.
Thoughts?
More information about the Freeradius-Users
mailing list