My idea is that freeradius does not send Client-IP-Address attribute and therefore RSA RADIUS determines that original host is freeradius proxy server.
Ahem, your first post: output of /var/log/freeradius/radacct/10.5.0.31/pre-proxy-detail-20080204: Packet-Type = Access-Request Mon Feb 4 23:55:50 2008 User-Name = "jakub" User-Password = "1234628665" NAS-IP-Address = 127.0.1.1 NAS-Identifier = "ssh" NAS-Port = 21704 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "10.5.0.39" Client-IP-Address = 10.5.0.31 <=== Stripped-User-Name = "jakub" Realm = "NULL" Realm = "NULL" Proxy-State = 0x313039 Ivan Kalik Kalik Informatika ISP