Hi, after upgrading our server from 2.0.4 to 2.1.10 we see a change in the auth logic - e.g. when processing proxied requests to a home server and their replies. We need this feature to append some special attributes to the accept-packet from the home server before sending it to the NAS. 1) Our config in 2.0.4 (the DEFAULT record is recognized before sending the packet to the NAS): proxy.conf: =========== realm foo { type = radius authhost = 1.2.3.4 secret = hidden nostrip } users file: =========== DEFAULT User-Name =~ "test@foo" MS-Primary-DNS-Server = "192.168.203.6", MS-Secondary-DNS-Server = "192.168.203.1", MS-Primary-NBNS-Server = "192.168.203.6" sites-enabled/default: ====================== authorize { ... files ... } test: ===== # radtest test@foo password localhost:1812 # /usr/sbin/freeradiusd -X ... rad_recv: Access-Request packet from host 127.0.0.1 port 51046, id=236, length=74 User-Name = "test@foo" User-Password = "password" NAS-IP-Address = 172.16.1.63 NAS-Port = 123 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Looking up realm "foo" for User-Name = "test@foo" rlm_realm: Found realm "foo" rlm_realm: Adding Realm = "foo" rlm_realm: Proxying request from user test to realm foo rlm_realm: Preparing to proxy authentication request to realm "foo" ++[suffix] returns updated rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound expand: %{User-Name} -> test@foo users: Matched entry DEFAULT at line 6 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Sending Access-Request of id 228 to 1.2.3.4 port 1812 User-Name = "test@foo" User-Password = "password" NAS-IP-Address = 172.16.1.63 NAS-Port = 123 Proxy-State = 0x323336 Proxying request 50 to home server 1.2.3.4 port 1812 Sending Access-Request of id 228 to 1.2.3.4 port 1812 User-Name = "test@foo" User-Password = "password" NAS-IP-Address = 172.16.1.63 NAS-Port = 123 Proxy-State = 0x323336 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Accept packet from host 1.2.3.4 port 1812, id=228, length=117 Proxy-State = 0x323336 Framed-Protocol = PPP Service-Type = Framed-User Class = 0x4f300502000001370001c0a8cb0601cd117a507f4414000000000000010e MS-Link-Utilization-Threshold = 50 MS-Link-Drop-Time-Limit = 120 MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x0000000e +- entering group post-proxy rlm_eap: No pre-existing handler found ++[eap] returns noop +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Proxy reply, or no User-Name. Ignoring. ++[suffix] returns noop ++[eap] returns noop ++[unix] returns notfound expand: %{User-Name} -> test@foo users: Matched entry DEFAULT at line 6 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Login OK: [test@foo/password] (from client LOCALHOST port 123) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 236 to 127.0.0.1 port 51046 Framed-Protocol = PPP Service-Type = Framed-User Class = 0x4f300502000001370001c0a8cb0601cd117a507f4414000000000000010e MS-Link-Utilization-Threshold = 50 MS-Link-Drop-Time-Limit = 120 MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x0000000e MS-Primary-DNS-Server = 192.168.203.6 MS-Secondary-DNS-Server = 192.168.203.1 MS-Primary-NBNS-Server = 192.168.203.6 Finished request 50. 2) Our config in 2.1.10 (the DEFAULT record is ignored before sending the packet to the NAS): proxy.conf: =========== realm foo { type = radius authhost = 1.2.3.4 secret = hidden nostrip } users file: =========== DEFAULT User-Name =~ "test@foo" MS-Primary-DNS-Server = "192.168.203.6", MS-Secondary-DNS-Server = "192.168.203.1", MS-Primary-NBNS-Server = "192.168.203.6" sites-enabled/default: ====================== authorize { ... files ... } test: ===== # radtest test@foo password localhost:1812 # /usr/sbin/freeradiusd -X ... Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 49833, id=110, length=74 User-Name = "test@foo" User-Password = "password" NAS-IP-Address = 172.16.1.55 NAS-Port = 123 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "foo" for User-Name = "test@foo" [suffix] Found realm "foo" [suffix] Adding Realm = "foo" [suffix] Proxying request from user test to realm foo [suffix] Preparing to proxy authentication request to realm "foo" ++[suffix] returns updated [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] expand: %{User-Name} -> test@foo [files] users: Matched entry DEFAULT at line 6 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: Empty pre-proxy section. Using default return values. Sending Access-Request of id 231 to 1.2.3.4 port 1812 User-Name = "test@foo" User-Password = "password" NAS-IP-Address = 172.16.1.55 NAS-Port = 123 Proxy-State = 0x313130 Proxying request 0 to home server 1.2.3.4 port 1812 Sending Access-Request of id 231 to 1.2.3.4 port 1812 User-Name = "test@foo" User-Password = "password" NAS-IP-Address = 172.16.1.55 NAS-Port = 123 Proxy-State = 0x313130 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Accept packet from host 1.2.3.4 port 1812, id=231, length=117 Proxy-State = 0x313130 Framed-Protocol = PPP Service-Type = Framed-User Class = 0x4f440516000001370001c0a8cb0601cd117a507f44140000000000000122 MS-Link-Utilization-Threshold = 50 MS-Link-Drop-Time-Limit = 120 MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x0000000e # Executing section post-proxy from file /etc/freeradius/sites-enabled/default +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Found Auth-Type = Accept Auth-Type = Accept, accepting the user Login OK: [test@foo] (from client LOCALHOST port 123) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 110 to 127.0.0.1 port 49833 Framed-Protocol = PPP Service-Type = Framed-User Class = 0x4f440516000001370001c0a8cb0601cd117a507f44140000000000000122 MS-Link-Utilization-Threshold = 50 MS-Link-Drop-Time-Limit = 120 MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x0000000e Finished request 0. I tried it under 2.1.10 also with "files" in the "post-auth" section but it did not work - I've got only one more message that tells me a "noop": ... # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[files] returns noop ++[exec] returns noop ... So my question is how to assign the DEFAULT record to an reply packet from a proxy in 2.1.10? Thx, Gerald