are you checking the username AND the VSA ? Yes, the goal is to check both username and VSA.
Here is from the email I just replied: Here are some examples of our VSA attributes: Type Length Vendor-Id Vendor-type Vendor-length Value Attr1 26 <length> 3456 100 <len> foo Attr2 26 <length> 3456 200 <len> bar The goal is we can configure Freeradius server so that in addition to user/password check: - server reads all the VSA; - for any VSA whose Vendor-Id is 3456, - when Vendor-type is "100", the value must be "foo"; "200", "bar". - If all above checks are good, sends back accept message; otherwise reject message. Our RADIUS client inserts the above to the access request message, currently freeradius debug output does not mention these attributes. I need to somehow configure the server and hence ask the question. -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+j.han=f5.com@lists.freeradius.org> On Behalf Of Alan Buxey Sent: Sunday, March 11, 2018 1:51 AM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: How to configure freeradius server to authenticate VSA attribute EXTERNAL MAIL: freeradius-users-bounces+j.han=f5.com@lists.freeradius.org this could be quiet easy to do it you are ONLY expecting the VSA to be present... or are you checking the username AND the VSA ? but your FR version is horrendously outdated - does your organisation always run software many years out of date?? :( alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html