Hi, we try to send VLAN-Attributes after a sucessfull authentication to our clients. A file "rad-vlan" contains the MAC-Address, as search key, and various other attributes which we want to assign. "rad-vlan" is processed through the module files in the section post-auth and does nothing. Only if we execute it with rad-vlan.authorize, it is successfully processed. Without ".authorize": Configuration ############################ server eap_server { listen { ipaddr = * port = 1645 type = auth limit { } } authorize { eap { ok = return } files expiration logintime } authenticate { Auth-Type PAP { } Auth-Type CHAP { } Auth-Type MS-CHAP { } eap Auth-Type eap { eap { handled = 1 } if (handled && (Response-Packet-Type == Access-Challenge)) { } } } preacct { preprocess acct_unique files } accounting { detail exec } session { } post-auth { if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/) { update request { Stripped-User-Name := "%{2}" Realm := "%{1}" } } update reply { Tunnel-Type := "13" Tunnel-Medium-Type := "6" } rad-vlan <---------------------------------------------------- update reply { Tunnel-Private-Group-Id="%{control:Tunnel-Private-Group-Id}" } Post-Auth-Type REJECT { eap } } pre-proxy { } post-proxy { eap } } Debugoutput #################################################### (14) } # authenticate = ok (14) Login OK: [materna\\ldapsearch/<via Auth-Type = EAP>] (from client sles11 port 0 cli 12-34-56-78-90-AB) (14) # Executing section post-auth from file /etc/radiusd/sites-enabled/default (14) post-auth { (14) if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/) (14) EXPAND %{request:User-Name} (14) --> materna\\ldapsearch (14) if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/) -> TRUE (14) if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/) { (14) update request { (14) EXPAND %{2} (14) --> ldapsearch (14) Stripped-User-Name := "ldapsearch" (14) EXPAND %{1} (14) --> materna\ (14) Realm := "materna\\" (14) } # update request = noop (14) } # if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/) = noop (14) update reply { (14) Tunnel-Type := VLAN (14) Tunnel-Medium-Type := IEEE-802 (14) } # update reply = noop (14) rad-vlan : EXPAND %{Calling-Station-Id} <---------------------------------------------------- (14) rad-vlan : --> 12-34-56-78-90-AB <---------------------------------------------------- (14) [rad-vlan] = noop (14) update reply { (14) EXPAND %{control:Tunnel-Private-Group-Id} (14) --> (14) Tunnel-Private-Group-Id = "" (14) } # update reply = noop (14) } # post-auth = noop With ".authorize": Configuration ############################################################################# server eap_server { listen { ipaddr = * port = 1645 type = auth limit { } } authorize { eap { ok = return } files expiration logintime } authenticate { Auth-Type PAP { } Auth-Type CHAP { } Auth-Type MS-CHAP { } eap Auth-Type eap { eap { handled = 1 } if (handled && (Response-Packet-Type == Access-Challenge)) { } } } preacct { preprocess acct_unique files } accounting { detail exec } session { } post-auth { if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/) { update request { Stripped-User-Name := "%{2}" Realm := "%{1}" } } update reply { Tunnel-Type := "13" Tunnel-Medium-Type := "6" } rad-vlan.authorize <---------------------------------------------------- update reply { Tunnel-Private-Group-Id="%{control:Tunnel-Private-Group-Id}" } Post-Auth-Type REJECT { eap } } pre-proxy { } post-proxy { eap } } Debugoutput ################################################################# (14) } # authenticate = ok (14) Login OK: [materna\\ldapsearch/<via Auth-Type = EAP>] (from client sles11 port 0 cli 12-34-56-78-90-AB) (14) # Executing section post-auth from file /etc/radiusd/sites-enabled/default (14) post-auth { (14) if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/) (14) EXPAND %{request:User-Name} (14) --> materna\\ldapsearch (14) if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/) -> TRUE (14) if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/) { (14) update request { (14) EXPAND %{2} (14) --> ldapsearch (14) Stripped-User-Name := "ldapsearch" (14) EXPAND %{1} (14) --> materna\ (14) Realm := "materna\\" (14) } # update request = noop (14) } # if ("%{request:User-Name}" =~ /^(.*)\\\\(.*)/) = noop (14) update reply { (14) Tunnel-Type := VLAN (14) Tunnel-Medium-Type := IEEE-802 (14) } # update reply = noop (14) rad-vlan : EXPAND %{Calling-Station-Id} (14) rad-vlan : --> 12-34-56-78-90-AB (14) rad-vlan : users: Matched entry 12-34-56-78-90-AB at line 1 (14) [rad-vlan.authorize] = ok (14) update reply { (14) EXPAND %{control:Tunnel-Private-Group-Id} (14) --> 200 (14) Tunnel-Private-Group-Id = "200" (14) } # update reply = noop (14) } # post-auth = ok