Hello,
I have created a user like this
> select * from radcheck where id=3;
+----+----------+--------------------+----+----------+
| id | username | attribute         | op | value   |
+----+----------+--------------------+----+----------+
| 3 | tata    | Cleartext-Password | := | passtata |
+----+----------+--------------------+----+----------+
> select * from radreply where id=3;
+----+----------+--------------+----+-------+
| id | username | attribute   | op | value |
+----+----------+--------------+----+-------+
| 3 | tata    | Fall-Through | = | Yes  |
+----+----------+--------------+----+-------+
> select * from radusergroup;
+----+----------+-----------+----------+
| id | username | groupname | priority |
+----+----------+-----------+----------+
| 1 | tata    | admin    |       1 |
+----+----------+-----------+----------+
> select * from radgroupreply;
+----+-----------+-------------------------+----+----------+
| id | groupname | attribute              | op | value   |
+----+-----------+-------------------------+----+----------+
| 1 | admin    | Tunnel-Type            | == | VLAN    |
| 2 | admin    | Tunnel-Medium-Type     | == | IEEE-802 |
| 3 | admin    | Tunnel-Private-Group-Id | == | 9       |
+----+-----------+-------------------------+----+----------+
But when I make my radius test request the Access accept is sent but not the other attributes
# radtest tata passtata 127.0.0.1 1812 testing123
Sent Access-Request Id 54 from 0.0.0.0:39af to 127.0.0.1:1812 length 74
       User-Name = "tata"
       User-Password = "passtata"
       NAS-IP-Address = 10.127.2.210
       NAS-Port = 1812
       Message-Authenticator = 0x00
       Cleartext-Password = "passtata"
Received Access-Accept Id 54 from 127.0.0.1:714 to 127.0.0.1:14767 length 20
In my debug logs my attributes are retrieved but not sent
(2) Received Access-Request Id 54 from 127.0.0.1:14767 to 127.0.0.1:1812 length 74
(2)Â Â User-Name = "tata"
(2)Â Â User-Password = "passtata"
(2)Â Â NAS-IP-Address = 10.127.2.210
(2)Â Â NAS-Port = 1812
(2)Â Â Message-Authenticator = 0xbea8f8a6107528be29765e63e58d0a3d
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2)Â Â authorize {
(2)Â Â Â Â policy filter_username {
(2)Â Â Â Â Â Â if (&User-Name) {
(2)Â Â Â Â Â Â if (&User-Name)Â -> TRUE
(2)Â Â Â Â Â Â if (&User-Name)Â {
(2)Â Â Â Â Â Â Â Â if (&User-Name =~ / /) {
(2)Â Â Â Â Â Â Â Â if (&User-Name =~ / /)Â -> FALSE
(2)Â Â Â Â Â Â Â Â if (&User-Name =~ /@[^@]*@/ ) {
(2)Â Â Â Â Â Â Â Â if (&User-Name =~ /@[^@]*@/ )Â -> FALSE
(2)Â Â Â Â Â Â Â Â if (&User-Name =~ /\.\./ ) {
(2)Â Â Â Â Â Â Â Â if (&User-Name =~ /\.\./ )Â -> FALSE
(2)Â Â Â Â Â Â Â Â if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))Â {
(2)Â Â Â Â Â Â Â Â if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))Â Â -> FALSE
(2)Â Â Â Â Â Â Â Â if (&User-Name =~ /\.$/)Â {
(2)Â Â Â Â Â Â Â Â if (&User-Name =~ /\.$/)Â Â -> FALSE
(2)Â Â Â Â Â Â Â Â if (&User-Name =~ /(a)\./)Â {
(2)Â Â Â Â Â Â Â Â if (&User-Name =~ /(a)\./)Â Â -> FALSE
(2)Â Â Â Â Â Â } # if (&User-Name)Â = notfound
(2)Â Â Â Â } # policy filter_username = notfound
(2)Â Â Â Â [preprocess] = ok
(2)Â Â Â Â [chap] = noop
(2)Â Â Â Â [mschap] = noop
(2)Â Â Â Â [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "tata", looking up realm NULL
(2) suffix: No such realm "NULL"
(2)Â Â Â Â [suffix] = noop
(2) eap: No EAP-Message, not doing EAP
(2)Â Â Â Â [eap] = noop
(2)Â Â Â Â [files] = noop
(2) sql: EXPAND %{User-Name}
(2) sql:Â Â Â --> tata
(2) sql: SQL-User-Name set to 'tata'
rlm_sql (sql): Reserved connection (5)
(2) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(2) sql:Â Â Â --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'tata' ORDER BY id
(2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'tata' ORDER BY id
(2) sql: User found in radcheck table
(2) sql: Conditional check items matched, merging assignment check items
(2) sql:Â Â Cleartext-Password := "passtata"
(2) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(2) sql:Â Â Â --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'tata' ORDER BY id
(2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'tata' ORDER BY id
(2) sql: User found in radreply table, merging reply items
(2) sql:Â Â Fall-Through = Yes
(2) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(2) sql:Â Â Â --> SELECT groupname FROM radusergroup WHERE username = 'tata' ORDER BY priority
(2) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'tata' ORDER BY priority
(2) sql: User found in the group table
(2) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(2) sql:Â Â Â --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'admin' ORDER BY id
(2) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'admin' ORDER BY id
(2) sql: Group "admin": Conditional check items matched
(2) sql: Group "admin": Merging assignment check items
(2) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(2) sql:Â Â Â --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'admin' ORDER BY id
(2) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'admin' ORDER BY id
(2) sql: Group "admin": Merging reply items
(2) sql:Â Â Tunnel-Type == VLAN
(2) sql:Â Â Tunnel-Medium-Type == IEEE-802
(2) sql:Â Â Tunnel-Private-Group-Id == "9"
rlm_sql (sql): Released connection (5)
Need more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (7), 1 of 29 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radiusdb' on Localhost via UNIX socket, server version 10.9.8-MariaDB, protocol version 10
rlm_sql (sql): Closing expired connection (6) - Hit idle_timeout limit
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): You probably need to lower "min"
rlm_sql (sql): Closing expired connection (0) - Hit idle_timeout limit
rlm_sql_mysql: Socket destructor called, closing socket
(2)Â Â Â Â [sql] = ok
(2)Â Â Â Â [expiration] = noop
(2)Â Â Â Â [logintime] = noop
(2)Â Â Â Â [pap] = updated
(2)Â Â } # authorize = updated
(2) Found Auth-Type = PAP
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2)Â Â Auth-Type PAP {
(2) pap: Login attempt with password
(2) pap: Comparing with "known good" Cleartext-Password
(2) pap: User authenticated successfully
(2)Â Â Â Â [pap] = ok
(2)Â Â } # Auth-Type PAP = ok
(2) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(2)Â Â post-auth {
(2)Â Â Â Â if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
(2)Â Â Â Â if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name))Â -> FALSE
(2)Â Â Â Â update {
(2)Â Â Â Â Â Â No attributes updated for RHS &session-state:
(2)Â Â Â Â } # update = noop
(2) sql: EXPAND .query
(2) sql:Â Â Â --> .query
(2) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (5)
(2) sql: EXPAND %{User-Name}
(2) sql:Â Â Â --> tata
(2) sql: SQL-User-Name set to 'tata'
(2) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S.%M' )
(2) sql:Â Â Â --> INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( 'tata', 'passtata', 'Access-Accept', '2025-01-18 01:21:24.187903' )
(2) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( 'tata', 'passtata', 'Access-Accept', '2025-01-18 01:21:24.187903' )
(2) sql: SQL query returned: success
(2) sql: 1 record(s) updated
rlm_sql (sql): Released connection (5)
(2)Â Â Â Â [sql] = ok
(2)Â Â Â Â [exec] = noop
(2)Â Â Â Â policy remove_reply_message_if_eap {
(2)Â Â Â Â Â Â if (&reply:EAP-Message && &reply:Reply-Message) {
(2)Â Â Â Â Â Â if (&reply:EAP-Message && &reply:Reply-Message)Â -> FALSE
(2)Â Â Â Â Â Â else {
(2)Â Â Â Â Â Â Â Â [noop] = noop
(2)Â Â Â Â Â Â } # else = noop
(2)Â Â Â Â } # policy remove_reply_message_if_eap = noop
(2)Â Â Â Â if (EAP-Key-Name && &reply:EAP-Session-Id) {
(2)Â Â Â Â if (EAP-Key-Name && &reply:EAP-Session-Id)Â -> FALSE
(2)Â Â } # post-auth = ok
(2) Login OK: [tata] (from client localhost port 1812)
(2) Sent Access-Accept Id 54 from 127.0.0.1:1812 to 127.0.0.1:14767 length 20
(2) Finished request
Waking up in 4.9 seconds.
(2) Cleaning up request packet ID 54 with timestamp +6200 due to cleanup_delay was reached
Ready to process requests
I don't have any filters in place
# grep filt /etc/raddb/radiusd.conf
What could be the problem ?