Hi: I am using FreeRadius version 2.1.12 on CentOS6. I am authenticating against Active Directory (that works). And authorizing against LDAP (that works as well). I am trying to return attributes, used for VLAN assignment, based on the usersDN. In my /etc/raddb/sites-enabled/default (and inner-tunnel) I have the following # # The ldap module will set Auth-Type to LDAP if it has not # already been set ldap if (control:Ldap-UserDn =~ /OU=QA/) { update reply { Tunnel-Type:1 := 13 Tunnel-Medium-Type:1 := 6 Tunnel-Private-Group-Id:1 := 7 } } elsif (control:Ldap-UserDn =~ /OU=IT/) { update reply { Tunnel-Type:1 := 13 Tunnel-Medium-Type:1 := 6 Tunnel-Private-Group-Id:1 := 2 } } else { update reply { Tunnel-Type:1 := 13 Tunnel-Medium-Type:1 := 6 Tunnel-Private-Group-Id:1 := 21 } } In the authorize section. That works, when authorize is done it queries LDAP successfully. Looking through the radius debug I see the IF statements processing: rad_recv: Access-Request packet from host 127.0.0.1 port 48400, id=0, length=122 User-Name = "mceroni" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000c016d6365726f6e69 Message-Authenticator = 0xc429bf6a61dfc3cf27f1b6dc84f4e558 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "mceroni", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "mceroni", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for mceroni [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> mceroni [ldap] expand: (samAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (samAccountName=mceroni) [ldap] expand: ou=Clairmail OU,dc=clairmail,dc=local -> ou=Clairmail OU,dc=clairmail,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to cmad01.clairmail.local:389, authentication 0 [ldap] bind as svnadmin@clairmail.local/iBis93sLit+ to cmad01.clairmail.local:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=Clairmail OU,dc=clairmail,dc=local, with filter (samAccountName=mceroni) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user mceroni authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (control:Ldap-UserDn =~ /OU=QA/) ? Evaluating (control:Ldap-UserDn =~ /OU=QA/) -> FALSE ++? if (control:Ldap-UserDn =~ /OU=QA/) -> FALSE ++? elsif (control:Ldap-UserDn =~ /OU=IT/) ? Evaluating (control:Ldap-UserDn =~ /OU=IT/) -> TRUE ++? elsif (control:Ldap-UserDn =~ /OU=IT/) -> TRUE ++- entering elsif (control:Ldap-UserDn =~ /OU=IT/) {...} +++[reply] returns ok And it appears to set the attributes: +[pap] returns noop ++? if ("%{request:User-Name}" =~ /^host\/(.*).clairmail.local$/) expand: %{request:User-Name} -> mceroni ? Evaluating ("%{request:User-Name}" =~ /^host\/(.*).clairmail.local$/) -> FALSE ++? if ("%{request:User-Name}" =~ /^host\/(.*).clairmail.local$/) -> FALSE Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 127.0.0.1 port 48400 Tunnel-Type:1 = VLAN Tunnel-Medium-Type:1 = IEEE-802 Tunnel-Private-Group-Id:1 = "2" EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2a1689d42a17904c9b87561fac99b7b3 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 48400, id=1, length=250 User-Name = "mceroni" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0201007a198000000070160301006b01000067030150ee101279602ec4eddc8d6cfc926da85eee0e034a2c20ea6abd4fd75e1ea55500003a00390038008800870035008400160013000a00330032009a009900450044002f00960041000500040015001200090014001100080006000300ff0100000400230000 State = 0x2a1689d42a17904c9b87561fac99b7b3 Message-Authenticator = 0x0a3e365c6cd7a8ae795def8cb962360e But in the final response those attributes are not there. Sending Access-Accept of id 9 to 127.0.0.1 port 48400 MS-MPPE-Recv-Key = 0xf318d3dd21910be1544fd848af03baebe4f23ae85b786100b02b967d4cc1761e MS-MPPE-Send-Key = 0xa01a409bf3f54388c69613c576e657605022285909917ddbee9e52e776c3b0e1 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "mceroni" Any help would be appreciated. Thanks