Hello, I need to reply an deniedServices ldap variable in Class attribute for a controller. I added it "replyItem Class deniedServices +=" at ldap.attrmap file. and sites-available/default file includes it. But it override the Class value to empty. update reply { Class += "%{Reply-Message}" } Where it is wrong? FreeRADIUS Version 2.2.8 Output parts are: [peap] Setting User-Name to tayfund Sending tunneled request EAP-Message = 0x020900421a0209003d3167738a93d83ed76e5251bbbaa183542f0000000000000000008955f2389888dbc3771d940bc5c9ade688b2ec3b08e4f80074617966756e64 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "tayfund" State = 0xb024cc1cb02dd66832d4a5f6f46a2d5f NAS-IP-Address = 10.200.0.2 NAS-Port = 0 NAS-Identifier = "10.200.0.5" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "748D08E39D7F" Called-Station-Id = "001A1E0015F0" Service-Type = Framed-User Framed-MTU = 1100 Aruba-Essid-Name = "SABANCIUNIV" Aruba-Location-Id = "BM_IT_NETSYS_7b:fe" Aruba-AP-Group = "BM_binasi" Aruba-Device-Type = "iPhone" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[mschap] = noop [suffix] No '@' in User-Name = "tayfund", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 9 length 66 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [ldap] performing user authorization for tayfund [ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=tayfund) [ldap] expand: o=sabanciuniv.edu -> o=sabanciuniv.edu [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=sabanciuniv.edu, with filter (uid=tayfund) [ldap] Added User-Password = 5F479EB90623041F464CD3F4B685C80A in check items [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{SSHA}wM3CoVk5jYLVnHz8jyv6vHBlqv52bw==" [ldap] sambaNtPassword -> NT-Password == 0x3546343739454239303632333034314634363443443346344236383543383041 [ldap] sambaLmPassword -> LM-Password == 0x3836413243354632393945434139444343313745393630323543414633314130 [ldap] radiusAuthType -> Auth-Type == EAP [ldap] looking for reply items in directory... * [ldap] deniedServices -> Class += 0x7375636f75727365* [ldap] ou -> Operator-Name = "admin" [ldap] ou -> Operator-Name = "IT" [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok +} # group authorize = updated Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] Found LM-Password [mschap] Found NT-Password [mschap] Creating challenge hash with username: tayfund [mschap] Client is using MS-CHAPv2 for tayfund, we need NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] = ok ++update outer.request { expand: %{User-Name} -> tayfund ++} # update outer.request = noop ++update outer.reply { expand: %{User-Name} -> tayfund ++} # update outer.reply = noop +} # group MS-CHAP = ok MSCHAP Success ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 Class += 0x7375636f75727365 Operator-Name = "admin" EAP-Message = 0x010a00331a0309002e533d38384136303239324543424441413244303139424145343031363537393336353637364246453633 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb024cc1cb12ed66832d4a5f6f46a2d5f [peap] Got tunneled reply RADIUS code Access-Challenge * Class += 0x7375636f75727365* Operator-Name = "admin" EAP-Message = 0x010a00331a0309002e533d38384136303239324543424441413244303139424145343031363537393336353637364246453633 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb024cc1cb12ed66832d4a5f6f46a2d5f [peap] Got tunneled Access-Challenge [peap] >>> Unknown TLS version [length 0005] ++[eap] = handled +} # group authenticate = handled Going to the next request rad_recv: Access-Request packet from host 10.200.0.5 port 52530, id=108, length=259 User-Name = "tayfund" NAS-IP-Address = 10.200.0.2 NAS-Port = 0 NAS-Identifier = "10.200.0.5" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "748D08E39D7F" Called-Station-Id = "001A1E0015F0" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020b002e190017030300239b010c14db2db49adb4087eaadbbbcf3628daf65188a552fdc7d8fbeb850ded62316e3 State = 0x0f5a59a0065140db3a8c7af8ad4bf4cc Aruba-Essid-Name = "SABANCIUNIV" Aruba-Location-Id = "BM_IT_NETSYS_7b:fe" Aruba-AP-Group = "BM_binasi" Aruba-Device-Type = "iPhone" Message-Authenticator = 0xa1cfe667210437f5f5eaf132bf431a90 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "tayfund", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 11 length 46 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] <<< Unknown TLS version [length 0005] [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok Login OK: [tayfund] (from client 10.200.0.0/24 port 0 cli 748D08E39D7F) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { [reply_log] expand: %{Packet-Src-IP-Address} -> 10.200.0.5 [reply_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d -> /var/log/freeradius/radacct/10.200.0.5/reply-detail-20171003 [reply_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.200.0.5/reply-detail-20171003 [reply_log] expand: %t -> Tue Oct 3 12:06:11 2017 ++[reply_log] = ok ++[ldap] = noop ++[exec] = noop ++update reply { expand: %{Reply-Message} -> ++} # update reply = noop +} # group post-auth = ok Sending Access-Accept of id 108 to 10.200.0.5 port 52530 MS-MPPE-Recv-Key = 0xfc792d0aa5a1ff4c6e90676c80c47b799958fb603caf17dc11b68eeb182f922f MS-MPPE-Send-Key = 0x00176d351e6d75e96c0429fefa871f38022b851e2a897921fbc2ab0cc891ee5b EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "tayfund" Class = 0x Finished request 785. Going to the next request Cleaning up request 596 ID 154 with timestamp +11 Waking up in 0.1 seconds. rad_recv: Access-Request packet from host 10.200.0.5 port 52530, id=101, length=211 User-Name = "dbostan" NAS-IP-Address = 10.200.0.2 NAS-Port = 0 NAS-Identifier = "10.200.0.5" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "E0C767163B2F" Called-Station-Id = "001A1E0015F0" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020500061900 State = 0xf8fdecb8fbf8f57eaba961c2ded7fb6f Aruba-Essid-Name = "SABANCIUNIV" Aruba-Location-Id = "Yurt_A5_Kat1_AP4_60:6c" Aruba-AP-Group = "Yurt_Binasi" Message-Authenticator = 0xb071cd65a32ccfd350f5f7349f570df5 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "dbostan", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [reply_log] expand: %{Packet-Src-IP-Address} -> 10.200.0.5 [reply_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d -> /var/log/freeradius/radacct/10.200.0.5/reply-detail-20171003 [reply_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.200.0.5/reply-detail-20171003 [reply_log] expand: %t -> Tue Oct 3 12:06:11 2017 ++[reply_log] = ok ++[ldap] = noop ++[exec] = noop ++update reply { * expand: %{Reply-Message} -> * ++} # update reply = noop +} # group post-auth = ok Sending Access-Accept of id 108 to 10.200.0.5 port 52530 MS-MPPE-Recv-Key = 0xfc792d0aa5a1ff4c6e90676c80c47b799958fb603caf17dc11b68eeb182f922f MS-MPPE-Send-Key = 0x00176d351e6d75e96c0429fefa871f38022b851e2a897921fbc2ab0cc891ee5b EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "tayfund" * Class = 0x* Finished request 785. Going to the next request Cleaning up request 596 ID 154 with timestamp +11 Waking up in 0.1 seconds. rad_recv: Access-Request packet from host 10.200.0.5 port 52530, id=101, length=211 User-Name = "dbostan" NAS-IP-Address = 10.200.0.2 NAS-Port = 0 NAS-Identifier = "10.200.0.5" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "E0C767163B2F" Called-Station-Id = "001A1E0015F0" Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020500061900 State = 0xf8fdecb8fbf8f57eaba961c2ded7fb6f Aruba-Essid-Name = "SABANCIUNIV" Aruba-Location-Id = "Yurt_A5_Kat1_AP4_60:6c" Aruba-AP-Group = "Yurt_Binasi" Message-Authenticator = 0xb071cd65a32ccfd350f5f7349f570df5 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "dbostan", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 101 to 10.200.0.5 port 52530 EAP-Message = 0x010601d31900b69aa50fb8b93f207dae4ab5b89ce41db6abe694a5c1c783addbf527870e046cd5ffdda05ded8752b72b1502ae39a66a74e9dac4e7bc4d341ea95c4d335f92092f88665d7797c71d7613a9d5e5f116091135d5acdb2471702c98560bd917b4d1e3512b5e75e8d5d0dc4f34edc2056680a1cbe633160301014b0c000147030017410475fb60921d74cf2365a6e0348d653613d6e5d1222e87ed4d9b572cb9402e0429049ec55655bf436673431b9c907c0181d6b68feeb9f350adc2dccee8f376d53d01005606850c2d8755fc048572396aaee257a555261ad7deaa9d4d1983db0ddc0b26679e7a3aeab13623ff652de806acd87337d63a EAP-Message = 0x55b131ca32435839495c0a854ab8507fdf5c7a420c64e3f205ef607f2df152265f4544b6b1a5673e05417a38f1e10b63c28438bda216249aff502a43efc8a154ce646da60df5da11d182a059f010c082389b4ad9f901113c159cfd4a0653583ea745983ba8ef9aae665699c04d3a9b642a33ba7bdb9d8960948823747e88e115f41d2114d4cb5f63aec906b7c53c45fb117bccf41276015597025d295aed742520a5bfd019b54e91c4986655fee8f7832ac166433b1f9897eb02f307bae930dc01b8cd0edd0d526d8bd201a8b416030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf8fdecb8fcfbf57eaba961c2ded7fb6f Finished request 786. thanks.. -- *Umut A* System Specialist Information Technology Sabancı University