Running FreeRadius 1.1.0, and I'm wondering if I'm doing something wrong here. We have some users who have a split tunneling policy configured on their account for various historical reasons. The entries look like so: myuser Huntgroup-Name=="Office", Hint==Port-1812, Auth-Type:=Accept CVPN3000-IPSEC-Split-Tunneling-Policy = 1, CVPN3000-IPSEC-Split-Tunnel-List = "SPCCOLO_ST", Class = "OU=AOL-TW", Filter-Id = "SPCCOLO_O" Unfortunately, the split tunneling attributes aren't being returned by radiusd to the client (neither the NAS nor radclient). In testing with radclient, I get: # echo 'User-Name = "myuser", User-Password = "", NAS-IP-Address = 127.0.0.1, NAS-Port = 1' | /opt/bin/radclient -d /opt/share/dictionary/ -x 127.0.0.1:1812 auth foobar Sending Access-Request of id 63 to 127.0.0.1 port 1812 User-Name = "myuser" User-Password = "" NAS-IP-Address = 127.0.0.1 NAS-Port = 1 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=63, length=42 Class = 0x4f553d414f4c2d5457 Filter-Id = "SPCCOLO_O" Our prior GNU radius setup (which I hate) did this just fine, returning: Sending Access-Request of id 224 to 172.18.165.36 port 1645 User-Name = "myuser" User-Password = "" NAS-IP-Address = 172.18.209.18 NAS-Port = 1 rad_recv: Access-Accept packet from host 172.18.165.36:1645, id=224, length=72 Class = 0x4f553d414f4c2d5457 Filter-Id = "SPCCOLO_O" Vendor-3076-Attr-55 = 0x00000001 Vendor-3076-Attr-27 = 0x535043434f4c4f5f5354 Is there something special I need to do to ensure that the Split-Tunneling attributes are returned upon successful authentication? Running radiusd in debug mode doesn't reveal anything obvious to me: # /opt/reverb/sbin/radiusd -AX Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /opt/reverb/etc/clients.conf Config: including file: /opt/reverb/etc/proxy.conf main: prefix = "/opt/reverb" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/opt/reverb/lib" main: radacctdir = "/var/log/radius" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "reverb" main: group = "reverb" main: usercollide = no main: lower_user = "yes" main: lower_pass = "no" main: nospace_user = "before" main: nospace_pass = "no" main: checkrad = "/opt/reverb/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 1 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 300 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms listen: port = 1645 listen: type = "auth" listen: port = 1646 listen: type = "acct" listen: port = 1812 listen: type = "auth" listen: port = 1813 listen: type = "acct" radiusd: entering modules setup Module: Library search path is /opt/reverb/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "none" exec: packet_type = "(null)" Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded preprocess preprocess: huntgroups = "/opt/reverb/etc/huntgroups" preprocess: hints = "/opt/reverb/etc/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = yes Module: Instantiated preprocess (preprocess) Module: Loaded syslog syslog: hidepasswd = "yes" syslog: logextra = "(null)" syslog: logfacility = "local3" syslog: loglevel = "info" syslog: logname = "radiusd-auth" Module: Instantiated syslog (auth_log) Module: Loaded files files: usersfile = "/opt/reverb/etc/users" files: acctusersfile = "/opt/reverb/etc/acct_users" files: preproxy_usersfile = "/opt/reverb/etc/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) syslog: hidepasswd = "yes" syslog: logextra = "(null)" syslog: logfacility = "local3" syslog: loglevel = "info" syslog: logname = "radiusd-acct" Module: Instantiated syslog (acct_log) syslog: hidepasswd = "yes" syslog: logextra = "User-Name = %{User-Name},Client-IP-Address = %{Client-IP-Address},NAS-IP-Address = %{NAS-IP-Address},NAS-Port = %{NAS-Port}" syslog: logfacility = "local3" syslog: loglevel = "info" syslog: logname = "radiusd-auth" Module: Instantiated syslog (reply_log) Listening on authentication *:1645 Listening on accounting *:1646 Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1647 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:36126, id=68, length=64 User-Name = "myuser" User-Password = "" NAS-IP-Address = 127.0.0.1 NAS-Port = 1 rad_rmspace_pair: User-Name now 'myuser' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 hints: Matched DEFAULT at 35 radius_xlat: 'Port-1812' modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "auth_log" returns ok for request 0 users: Matched entry myuser at line 28547 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Login OK: [myuser] (from client localhost port 1) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 radius_xlat: 'User-Name = myuser,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 127.0.0.1,NAS-Port = 1' rlm_syslog: User-Name = %{User-Name},Client-IP-Address = %{Client-IP-Address},NAS-IP-Address = %{NAS-IP-Address},NAS-Port = %{NAS-Port} expands to User-Name = myuser,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 127.0.0.1,NAS-Port = 1 modcall[post-auth]: module "reply_log" returns ok for request 0 modcall: leaving group post-auth (returns ok) for request 0 Sending Access-Accept of id 68 to 127.0.0.1 port 36126 Class = 0x4f553d414f4c2d5457 Filter-Id = "SPCCOLO_O" Finished request 0 Going to the next request