I removed from config all stuff about update reply. And after detailed review of debug output i see Class attribute in some access-challenge messages, but not in access-accept. Here it is all output from radiusd -X. Received *Access-Request* Id 248 from 192.168.10.201:59882 to 192.168.10.191:1812 length 141 User-Name = 'temp' NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 5 NAS-Port-Id = 'test1' NAS-IP-Address = 192.168.10.234 Called-Station-Id = '192.168.10.234[4500]' Calling-Station-Id = '93.80.16.38[4500]' EAP-Message = 0x020000090174656d70 NAS-Identifier = 'gateway' Message-Authenticator = 0x1b4fcfd646f936dceab6f4fddbc8f992 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (User-Name != "%{tolower:%{User-Name}}") (0) EXPAND %{tolower:%{User-Name}} (0) --> temp (0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) if (User-Name =~ / /) (0) if (User-Name =~ / /) -> FALSE (0) if (User-Name =~ /@.*@/ ) (0) if (User-Name =~ /@.*@/ ) -> FALSE (0) if (User-Name =~ /\\.\\./ ) (0) if (User-Name =~ /\\.\\./ ) -> FALSE (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (User-Name =~ /\\.$/) (0) if (User-Name =~ /\\.$/) -> FALSE (0) if (User-Name =~ /@\\./) (0) if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) update request { (0) EXPAND %{User-Name} (0) --> temp (0) SQL-User-Name set to 'temp' rlm_sql (sql): Reserved connection (4) rlm_sql (sql): Executing query: 'SELECT groupname FROM radhuntgroup WHERE nasipaddress='192.168.10.201'' rlm_sql (sql): Released connection (4) (0) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{Packet-Src-IP-Address}'} (0) --> hVPN (0) Huntgroup-Name := '"hVPN"' (0) } # update request = noop (0) switch &Huntgroup-Name { (0) case hVPN { (0) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") (0) sql_groupcmp (0) EXPAND %{User-Name} (0) --> temp (0) SQL-User-Name set to 'temp' rlm_sql (sql): Reserved connection (4) (0) EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) --> SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority' (0) sql_groupcmp finished: User is a member of group vpn-usr rlm_sql (sql): Released connection (4) (0) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") -> TRUE (0) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") { (0) [ok] = ok (0) } # if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") = ok (0) ... skipping elsif for request 0: Preceding "if" was taken (0) ... skipping else for request 0: Preceding "if" was taken (0) } # case hVPN = ok (0) } # switch &Huntgroup-Name = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : No '@' in User-Name = "temp", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : EAP packet type response id 0 length 9 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) authenticate { (0) eap : Peer sent Identity (1) (0) eap : Calling eap_md5 to process EAP data (0) eap_md5 : Issuing MD5 Challenge (0) eap : New EAP session, adding 'State' attribute to reply 0x5df2a0505df3a42e (0) [eap] = handled (0) } # authenticate = handled Sending *Access-Challenge *Id 248 from 192.168.10.191:1812 to 192.168.10.201:59882 EAP-Message = 0x010100160410155cc3fbd296329e1f248410d4b22746 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5df2a0505df3a42e07f74e7f5a56fbca (0) Finished request Waking up in 0.3 seconds. Received Access-Request Id 249 from 192.168.10.201:59882 to 192.168.10.191:1812 length 156 User-Name = 'temp' NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 5 NAS-Port-Id = 'test1' NAS-IP-Address = 192.168.10.234 Called-Station-Id = '192.168.10.234[4500]' Calling-Station-Id = '93.80.16.38[4500]' EAP-Message = 0x02010006031a NAS-Identifier = 'gateway' State = 0x5df2a0505df3a42e07f74e7f5a56fbca Message-Authenticator = 0x379292a6a43305dfd5ba975c67efea76 (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) authorize { (1) filter_username filter_username { (1) if (User-Name != "%{tolower:%{User-Name}}") (1) EXPAND %{tolower:%{User-Name}} (1) --> temp (1) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (1) if (User-Name =~ / /) (1) if (User-Name =~ / /) -> FALSE (1) if (User-Name =~ /@.*@/ ) (1) if (User-Name =~ /@.*@/ ) -> FALSE (1) if (User-Name =~ /\\.\\./ ) (1) if (User-Name =~ /\\.\\./ ) -> FALSE (1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (1) if (User-Name =~ /\\.$/) (1) if (User-Name =~ /\\.$/) -> FALSE (1) if (User-Name =~ /@\\./) (1) if (User-Name =~ /@\\./) -> FALSE (1) } # filter_username filter_username = notfound (1) [preprocess] = ok (1) update request { (1) EXPAND %{User-Name} (1) --> temp (1) SQL-User-Name set to 'temp' rlm_sql (sql): Reserved connection (4) rlm_sql (sql): Executing query: 'SELECT groupname FROM radhuntgroup WHERE nasipaddress='192.168.10.201'' rlm_sql (sql): Released connection (4) (1) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{Packet-Src-IP-Address}'} (1) --> hVPN (1) Huntgroup-Name := '"hVPN"' (1) } # update request = noop (1) switch &Huntgroup-Name { (1) case hVPN { (1) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") (1) sql_groupcmp (1) EXPAND %{User-Name} (1) --> temp (1) SQL-User-Name set to 'temp' rlm_sql (sql): Reserved connection (4) (1) EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (1) --> SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority' (1) sql_groupcmp finished: User is a member of group vpn-usr rlm_sql (sql): Released connection (4) (1) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") -> TRUE (1) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") { (1) [ok] = ok (1) } # if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") = ok (1) ... skipping elsif for request 1: Preceding "if" was taken (1) ... skipping else for request 1: Preceding "if" was taken (1) } # case hVPN = ok (1) } # switch &Huntgroup-Name = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix : No '@' in User-Name = "temp", looking up realm NULL (1) suffix : No such realm "NULL" (1) [suffix] = noop (1) eap : EAP packet type response id 1 length 6 (1) eap : No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) sql : EXPAND %{User-Name} (1) sql : --> temp (1) sql : SQL-User-Name set to 'temp' rlm_sql (sql): Reserved connection (4) (1) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (1) sql : --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'temp' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'temp' ORDER BY id' (1) sql : User found in radcheck table (1) sql : Check items matched (1) sql : EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (1) sql : --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'temp' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radreply WHERE username = 'temp' ORDER BY id' (1) sql : User found in radreply table (1) sql : EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (1) sql : --> SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority' (1) sql : User found in the group table (1) sql : EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id (1) sql : --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vpn-usr' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vpn-usr' ORDER BY id' (1) sql : Group "vpn-usr" check items matched (1) sql : EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id (1) sql : --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vpn-usr' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vpn-usr' ORDER BY id' (1) sql : Group "vpn-usr" reply items processed rlm_sql (sql): Released connection (4) (1) [sql] = ok (1) [expiration] = noop (1) [logintime] = noop (1) WARNING: pap : Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = EAP (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) authenticate { (1) eap : Expiring EAP session with state 0x5df2a0505df3a42e (1) eap : Finished EAP session with state 0x5df2a0505df3a42e (1) eap : Previous EAP request found for state 0x5df2a0505df3a42e, released from the list (1) eap : Peer sent NAK (3) (1) eap : Found mutually acceptable type MSCHAPv2 (26) (1) eap : Calling eap_mschapv2 to process EAP data (1) eap_mschapv2 : Issuing Challenge (1) eap : New EAP session, adding 'State' attribute to reply 0x5df2a0505cf0ba2e (1) [eap] = handled (1) } # authenticate = handled Sending *Access-Challenge* Id 249 from 192.168.10.191:1812 to 192.168.10.201:59882 *Class *= 0x6d79636c617373 EAP-Message = 0x0102001e1a0102001910362d923290bd75ecc6814d14e491598774656d70 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5df2a0505cf0ba2e07f74e7f5a56fbca (1) Finished request Waking up in 0.3 seconds. Received *Access-Request* Id 250 from 192.168.10.201:59882 to 192.168.10.191:1812 length 213 User-Name = 'temp' NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 5 NAS-Port-Id = 'test1' NAS-IP-Address = 192.168.10.234 Called-Station-Id = '192.168.10.234[4500]' Calling-Station-Id = '93.80.16.38[4500]' EAP-Message = 0x0202003f1a0202003a31440620e8b9a9a347ad6c2f345041ee5b000000000000000036451431ac5eebe501d403085a2c344aee284396153aaf210074656d70 NAS-Identifier = 'gateway' State = 0x5df2a0505cf0ba2e07f74e7f5a56fbca Message-Authenticator = 0x8e5b760a40c5c11205c4f6348f947c66 (2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (2) authorize { (2) filter_username filter_username { (2) if (User-Name != "%{tolower:%{User-Name}}") (2) EXPAND %{tolower:%{User-Name}} (2) --> temp (2) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (2) if (User-Name =~ / /) (2) if (User-Name =~ / /) -> FALSE (2) if (User-Name =~ /@.*@/ ) (2) if (User-Name =~ /@.*@/ ) -> FALSE (2) if (User-Name =~ /\\.\\./ ) (2) if (User-Name =~ /\\.\\./ ) -> FALSE (2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (2) if (User-Name =~ /\\.$/) (2) if (User-Name =~ /\\.$/) -> FALSE (2) if (User-Name =~ /@\\./) (2) if (User-Name =~ /@\\./) -> FALSE (2) } # filter_username filter_username = notfound (2) [preprocess] = ok (2) update request { (2) EXPAND %{User-Name} (2) --> temp (2) SQL-User-Name set to 'temp' rlm_sql (sql): Reserved connection (4) rlm_sql (sql): Executing query: 'SELECT groupname FROM radhuntgroup WHERE nasipaddress='192.168.10.201'' rlm_sql (sql): Released connection (4) (2) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{Packet-Src-IP-Address}'} (2) --> hVPN (2) Huntgroup-Name := '"hVPN"' (2) } # update request = noop (2) switch &Huntgroup-Name { (2) case hVPN { (2) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") (2) sql_groupcmp (2) EXPAND %{User-Name} (2) --> temp (2) SQL-User-Name set to 'temp' rlm_sql (sql): Reserved connection (4) (2) EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (2) --> SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority' (2) sql_groupcmp finished: User is a member of group vpn-usr rlm_sql (sql): Released connection (4) (2) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") -> TRUE (2) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") { (2) [ok] = ok (2) } # if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") = ok (2) ... skipping elsif for request 2: Preceding "if" was taken (2) ... skipping else for request 2: Preceding "if" was taken (2) } # case hVPN = ok (2) } # switch &Huntgroup-Name = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix : No '@' in User-Name = "temp", looking up realm NULL (2) suffix : No such realm "NULL" (2) [suffix] = noop (2) eap : EAP packet type response id 2 length 63 (2) eap : No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) sql : EXPAND %{User-Name} (2) sql : --> temp (2) sql : SQL-User-Name set to 'temp' rlm_sql (sql): Reserved connection (4) (2) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (2) sql : --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'temp' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'temp' ORDER BY id' (2) sql : User found in radcheck table (2) sql : Check items matched (2) sql : EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (2) sql : --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'temp' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radreply WHERE username = 'temp' ORDER BY id' (2) sql : User found in radreply table (2) sql : EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (2) sql : --> SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority' (2) sql : User found in the group table (2) sql : EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id (2) sql : --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vpn-usr' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vpn-usr' ORDER BY id' (2) sql : Group "vpn-usr" check items matched (2) sql : EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id (2) sql : --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vpn-usr' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vpn-usr' ORDER BY id' (2) sql : Group "vpn-usr" reply items processed rlm_sql (sql): Released connection (4) (2) [sql] = ok (2) [expiration] = noop (2) [logintime] = noop (2) WARNING: pap : Auth-Type already set. Not setting to PAP (2) [pap] = noop (2) } # authorize = updated (2) Found Auth-Type = EAP (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) authenticate { (2) eap : Expiring EAP session with state 0x5df2a0505cf0ba2e (2) eap : Finished EAP session with state 0x5df2a0505cf0ba2e (2) eap : Previous EAP request found for state 0x5df2a0505cf0ba2e, released from the list (2) eap : Peer sent MSCHAPv2 (26) (2) eap : EAP MSCHAPv2 (26) (2) eap : Calling eap_mschapv2 to process EAP data (2) eap_mschapv2 : # Executing group from file /usr/local/etc/raddb/sites-enabled/default (2) eap_mschapv2 : Auth-Type MS-CHAP { (2) mschap : Found Cleartext-Password, hashing to create LM-Password (2) mschap : Found Cleartext-Password, hashing to create NT-Password (2) mschap : Creating challenge hash with username: temp (2) mschap : Client is using MS-CHAPv2 (2) mschap : Adding MS-CHAPv2 MPPE keys (2) [mschap] = ok (2) } # Auth-Type MS-CHAP = ok MSCHAP Success (2) eap : New EAP session, adding 'State' attribute to reply 0x5df2a0505ff1ba2e (2) [eap] = handled (2) } # authenticate = handled Sending *Access-Challenge *Id 250 from 192.168.10.191:1812 to 192.168.10.201:59882 * Class = *0x6d79636c617373 EAP-Message = 0x010300331a0302002e533d37433431313734354230434342434642433642443939384239313546374639354339443630303232 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5df2a0505ff1ba2e07f74e7f5a56fbca (2) Finished request Waking up in 0.3 seconds. Received *Access-Request* Id 251 from 192.168.10.201:59882 to 192.168.10.191:1812 length 156 User-Name = 'temp' NAS-Port-Type = Virtual Service-Type = Framed-User NAS-Port = 5 NAS-Port-Id = 'test1' NAS-IP-Address = 192.168.10.234 Called-Station-Id = '192.168.10.234[4500]' Calling-Station-Id = '93.80.16.38[4500]' EAP-Message = 0x020300061a03 NAS-Identifier = 'gateway' State = 0x5df2a0505ff1ba2e07f74e7f5a56fbca Message-Authenticator = 0x0651a29f80e0bee2a19fcbb7e6d6e58a (3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (3) authorize { (3) filter_username filter_username { (3) if (User-Name != "%{tolower:%{User-Name}}") (3) EXPAND %{tolower:%{User-Name}} (3) --> temp (3) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (3) if (User-Name =~ / /) (3) if (User-Name =~ / /) -> FALSE (3) if (User-Name =~ /@.*@/ ) (3) if (User-Name =~ /@.*@/ ) -> FALSE (3) if (User-Name =~ /\\.\\./ ) (3) if (User-Name =~ /\\.\\./ ) -> FALSE (3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (3) if (User-Name =~ /\\.$/) (3) if (User-Name =~ /\\.$/) -> FALSE (3) if (User-Name =~ /@\\./) (3) if (User-Name =~ /@\\./) -> FALSE (3) } # filter_username filter_username = notfound (3) [preprocess] = ok (3) update request { (3) EXPAND %{User-Name} (3) --> temp (3) SQL-User-Name set to 'temp' rlm_sql (sql): Reserved connection (4) rlm_sql (sql): Executing query: 'SELECT groupname FROM radhuntgroup WHERE nasipaddress='192.168.10.201'' rlm_sql (sql): Released connection (4) (3) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{Packet-Src-IP-Address}'} (3) --> hVPN (3) Huntgroup-Name := '"hVPN"' (3) } # update request = noop (3) switch &Huntgroup-Name { (3) case hVPN { (3) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") (3) sql_groupcmp (3) EXPAND %{User-Name} (3) --> temp (3) SQL-User-Name set to 'temp' rlm_sql (sql): Reserved connection (4) (3) EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (3) --> SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority' (3) sql_groupcmp finished: User is a member of group vpn-usr rlm_sql (sql): Released connection (4) (3) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") -> TRUE (3) if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") { (3) [ok] = ok (3) } # if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr") = ok (3) ... skipping elsif for request 3: Preceding "if" was taken (3) ... skipping else for request 3: Preceding "if" was taken (3) } # case hVPN = ok (3) } # switch &Huntgroup-Name = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix : No '@' in User-Name = "temp", looking up realm NULL (3) suffix : No such realm "NULL" (3) [suffix] = noop (3) eap : EAP packet type response id 3 length 6 (3) eap : EAP-MSCHAPV2 success, returning short-circuit ok (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = EAP (3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (3) authenticate { (3) eap : Expiring EAP session with state 0x5df2a0505ff1ba2e (3) eap : Finished EAP session with state 0x5df2a0505ff1ba2e (3) eap : Previous EAP request found for state 0x5df2a0505ff1ba2e, released from the list (3) eap : Peer sent MSCHAPv2 (26) (3) eap : EAP MSCHAPv2 (26) (3) eap : Calling eap_mschapv2 to process EAP data (3) eap : Freeing handler (3) [eap] = ok (3) } # authenticate = ok (3) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (3) post-auth { (3) sql : EXPAND .query (3) sql : --> .query (3) sql : Using query template 'query' rlm_sql (sql): Reserved connection (4) (3) sql : EXPAND %{User-Name} (3) sql : --> temp (3) sql : SQL-User-Name set to 'temp' (3) sql : EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (3) sql : --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'temp', '', 'Access-Accept', '2014-05-24 16:02:04') rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'temp', '', 'Access-Accept', '2014-05-24 16:02:04')' rlm_sql (sql): Released connection (4) (3) [sql] = ok (3) [exec] = noop (3) remove_reply_message_if_eap remove_reply_message_if_eap { (3) if (reply:EAP-Message && reply:Reply-Message) (3) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (3) else else { (3) [noop] = noop (3) } # else else = noop (3) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (3) } # post-auth = ok Sending *Access-Accept* Id 251 from 192.168.10.191:1812 to 192.168.10.201:59882 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed MS-MPPE-Send-Key = 0x49955e70c686fcc5f62abd7bac225266 MS-MPPE-Recv-Key = 0x74a2ad3fd3b60c672a35d5c5ad028f3c EAP-Message = 0x03030004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = 'temp' (3) Finished request Waking up in 0.2 seconds. Waking up in 4.6 seconds. (0) Cleaning up request packet ID 248 with timestamp +15 (1) Cleaning up request packet ID 249 with timestamp +15 (2) Cleaning up request packet ID 250 with timestamp +15 (3) Cleaning up request packet ID 251 with timestamp +15 Ready to process requests. 23.05.2014 19:27, Alan DeKok ?????:
free.aaa wrote:
Request does not contain Class attribute indeed. You didn't show that in the debug log.
I thought that by using construction like:
update reply { Class = "%{Class}" }
i can grab that attribute from mysql radreply table and insert it in the reply. That comment makes no sense.
Anyway why attributes from radreply does not get inserted in access-accept when using eap-mschapv2 by default? They should be.