I removed from config all stuff about update reply. And after detailed review of debug output i see Class attribute in some access-challenge messages, but not in access-accept.
Here it is all output from radiusd -X.



Received Access-Request Id 248 from 192.168.10.201:59882 to 192.168.10.191:1812 length 141
        User-Name = 'temp'
        NAS-Port-Type = Virtual
        Service-Type = Framed-User
        NAS-Port = 5
        NAS-Port-Id = 'test1'
        NAS-IP-Address = 192.168.10.234
        Called-Station-Id = '192.168.10.234[4500]'
        Calling-Station-Id = '93.80.16.38[4500]'
        EAP-Message = 0x020000090174656d70
        NAS-Identifier = 'gateway'
        Message-Authenticator = 0x1b4fcfd646f936dceab6f4fddbc8f992
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)   filter_username filter_username {
(0)     if (User-Name != "%{tolower:%{User-Name}}")
(0) EXPAND %{tolower:%{User-Name}}
(0)    --> temp
(0)     if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(0)     if (User-Name =~ / /)
(0)     if (User-Name =~ / /)  -> FALSE
(0)     if (User-Name =~ /@.*@/ )
(0)     if (User-Name =~ /@.*@/ )  -> FALSE
(0)     if (User-Name =~ /\\.\\./ )
(0)     if (User-Name =~ /\\.\\./ )  -> FALSE
(0)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(0)     if (User-Name =~ /\\.$/)
(0)     if (User-Name =~ /\\.$/)   -> FALSE
(0)     if (User-Name =~ /@\\./)
(0)     if (User-Name =~ /@\\./)   -> FALSE
(0)   } # filter_username filter_username = notfound
(0)   [preprocess] = ok
(0)   update request {
(0) EXPAND %{User-Name}
(0)    --> temp
(0) SQL-User-Name set to 'temp'
rlm_sql (sql): Reserved connection (4)
rlm_sql (sql): Executing query: 'SELECT groupname FROM radhuntgroup WHERE nasipaddress='192.168.10.201''
rlm_sql (sql): Released connection (4)
(0) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{Packet-Src-IP-Address}'}
(0)    --> hVPN
(0)     Huntgroup-Name := '"hVPN"'
(0)   } # update request = noop
(0)   switch &Huntgroup-Name {
(0)    case hVPN {
(0)      if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr")
(0) sql_groupcmp
(0) EXPAND %{User-Name}
(0)    --> temp
(0) SQL-User-Name set to 'temp'
rlm_sql (sql): Reserved connection (4)
(0) EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0)    --> SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority
rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority'
(0) sql_groupcmp finished: User is a member of group vpn-usr
rlm_sql (sql): Released connection (4)
(0)      if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr")  -> TRUE
(0)     if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr")  {
(0)      [ok] = ok
(0)     } # if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr")  = ok
(0)      ... skipping elsif for request 0: Preceding "if" was taken
(0)      ... skipping else for request 0: Preceding "if" was taken
(0)    } # case hVPN = ok
(0)   } # switch &Huntgroup-Name = ok
(0)   [chap] = noop
(0)   [mschap] = noop
(0)   [digest] = noop
(0) suffix : No '@' in User-Name = "temp", looking up realm NULL
(0) suffix : No such realm "NULL"
(0)   [suffix] = noop
(0) eap : EAP packet type response id 0 length 9
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0)   [eap] = ok
(0)  } #  authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   authenticate {
(0) eap : Peer sent Identity (1)
(0) eap : Calling eap_md5 to process EAP data
(0) eap_md5 : Issuing MD5 Challenge
(0) eap : New EAP session, adding 'State' attribute to reply 0x5df2a0505df3a42e
(0)   [eap] = handled
(0)  } #  authenticate = handled
Sending Access-Challenge Id 248 from 192.168.10.191:1812 to 192.168.10.201:59882
        EAP-Message = 0x010100160410155cc3fbd296329e1f248410d4b22746
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x5df2a0505df3a42e07f74e7f5a56fbca
(0) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 249 from 192.168.10.201:59882 to 192.168.10.191:1812 length 156
        User-Name = 'temp'
        NAS-Port-Type = Virtual
        Service-Type = Framed-User
        NAS-Port = 5
        NAS-Port-Id = 'test1'
        NAS-IP-Address = 192.168.10.234
        Called-Station-Id = '192.168.10.234[4500]'
        Calling-Station-Id = '93.80.16.38[4500]'
        EAP-Message = 0x02010006031a
        NAS-Identifier = 'gateway'
        State = 0x5df2a0505df3a42e07f74e7f5a56fbca
        Message-Authenticator = 0x379292a6a43305dfd5ba975c67efea76
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1)   authorize {
(1)   filter_username filter_username {
(1)     if (User-Name != "%{tolower:%{User-Name}}")
(1) EXPAND %{tolower:%{User-Name}}
(1)    --> temp
(1)     if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(1)     if (User-Name =~ / /)
(1)     if (User-Name =~ / /)  -> FALSE
(1)     if (User-Name =~ /@.*@/ )
(1)     if (User-Name =~ /@.*@/ )  -> FALSE
(1)     if (User-Name =~ /\\.\\./ )
(1)     if (User-Name =~ /\\.\\./ )  -> FALSE
(1)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(1)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(1)     if (User-Name =~ /\\.$/)
(1)     if (User-Name =~ /\\.$/)   -> FALSE
(1)     if (User-Name =~ /@\\./)
(1)     if (User-Name =~ /@\\./)   -> FALSE
(1)   } # filter_username filter_username = notfound
(1)   [preprocess] = ok
(1)   update request {
(1) EXPAND %{User-Name}
(1)    --> temp
(1) SQL-User-Name set to 'temp'
rlm_sql (sql): Reserved connection (4)
rlm_sql (sql): Executing query: 'SELECT groupname FROM radhuntgroup WHERE nasipaddress='192.168.10.201''
rlm_sql (sql): Released connection (4)
(1) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{Packet-Src-IP-Address}'}
(1)    --> hVPN
(1)     Huntgroup-Name := '"hVPN"'
(1)   } # update request = noop
(1)   switch &Huntgroup-Name {
(1)    case hVPN {
(1)      if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr")
(1) sql_groupcmp
(1) EXPAND %{User-Name}
(1)    --> temp
(1) SQL-User-Name set to 'temp'
rlm_sql (sql): Reserved connection (4)
(1) EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(1)    --> SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority
rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority'
(1) sql_groupcmp finished: User is a member of group vpn-usr
rlm_sql (sql): Released connection (4)
(1)      if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr")  -> TRUE
(1)     if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr")  {
(1)      [ok] = ok
(1)     } # if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr")  = ok
(1)      ... skipping elsif for request 1: Preceding "if" was taken
(1)      ... skipping else for request 1: Preceding "if" was taken
(1)    } # case hVPN = ok
(1)   } # switch &Huntgroup-Name = ok
(1)   [chap] = noop
(1)   [mschap] = noop
(1)   [digest] = noop
(1) suffix : No '@' in User-Name = "temp", looking up realm NULL
(1) suffix : No such realm "NULL"
(1)   [suffix] = noop
(1) eap : EAP packet type response id 1 length 6
(1) eap : No EAP Start, assuming it's an on-going EAP conversation
(1)   [eap] = updated
(1) sql : EXPAND %{User-Name}
(1) sql :    --> temp
(1) sql : SQL-User-Name set to 'temp'
rlm_sql (sql): Reserved connection (4)
(1) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql :    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'temp' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'temp' ORDER BY id'
(1) sql : User found in radcheck table
(1) sql : Check items matched
(1) sql : EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql :    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'temp' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radreply WHERE username = 'temp' ORDER BY id'
(1) sql : User found in radreply table
(1) sql : EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(1) sql :    --> SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority
rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority'
(1) sql : User found in the group table
(1) sql : EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id
(1) sql :    --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vpn-usr' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vpn-usr' ORDER BY id'
(1) sql : Group "vpn-usr" check items matched
(1) sql : EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id
(1) sql :    --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vpn-usr' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vpn-usr' ORDER BY id'
(1) sql : Group "vpn-usr" reply items processed
rlm_sql (sql): Released connection (4)
(1)   [sql] = ok
(1)   [expiration] = noop
(1)   [logintime] = noop
(1) WARNING: pap : Auth-Type already set.  Not setting to PAP
(1)   [pap] = noop
(1)  } #  authorize = updated
(1) Found Auth-Type = EAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1)   authenticate {
(1) eap : Expiring EAP session with state 0x5df2a0505df3a42e
(1) eap : Finished EAP session with state 0x5df2a0505df3a42e
(1) eap : Previous EAP request found for state 0x5df2a0505df3a42e, released from the list
(1) eap : Peer sent NAK (3)
(1) eap : Found mutually acceptable type MSCHAPv2 (26)
(1) eap : Calling eap_mschapv2 to process EAP data
(1) eap_mschapv2 : Issuing Challenge
(1) eap : New EAP session, adding 'State' attribute to reply 0x5df2a0505cf0ba2e
(1)   [eap] = handled
(1)  } #  authenticate = handled
Sending Access-Challenge Id 249 from 192.168.10.191:1812 to 192.168.10.201:59882
        Class = 0x6d79636c617373
        EAP-Message = 0x0102001e1a0102001910362d923290bd75ecc6814d14e491598774656d70
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x5df2a0505cf0ba2e07f74e7f5a56fbca
(1) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 250 from 192.168.10.201:59882 to 192.168.10.191:1812 length 213
        User-Name = 'temp'
        NAS-Port-Type = Virtual
        Service-Type = Framed-User
        NAS-Port = 5
        NAS-Port-Id = 'test1'
        NAS-IP-Address = 192.168.10.234
        Called-Station-Id = '192.168.10.234[4500]'
        Calling-Station-Id = '93.80.16.38[4500]'
        EAP-Message = 0x0202003f1a0202003a31440620e8b9a9a347ad6c2f345041ee5b000000000000000036451431ac5eebe501d403085a2c344aee284396153aaf210074656d70
        NAS-Identifier = 'gateway'
        State = 0x5df2a0505cf0ba2e07f74e7f5a56fbca
        Message-Authenticator = 0x8e5b760a40c5c11205c4f6348f947c66
(2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(2)   authorize {
(2)   filter_username filter_username {
(2)     if (User-Name != "%{tolower:%{User-Name}}")
(2) EXPAND %{tolower:%{User-Name}}
(2)    --> temp
(2)     if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(2)     if (User-Name =~ / /)
(2)     if (User-Name =~ / /)  -> FALSE
(2)     if (User-Name =~ /@.*@/ )
(2)     if (User-Name =~ /@.*@/ )  -> FALSE
(2)     if (User-Name =~ /\\.\\./ )
(2)     if (User-Name =~ /\\.\\./ )  -> FALSE
(2)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(2)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(2)     if (User-Name =~ /\\.$/)
(2)     if (User-Name =~ /\\.$/)   -> FALSE
(2)     if (User-Name =~ /@\\./)
(2)     if (User-Name =~ /@\\./)   -> FALSE
(2)   } # filter_username filter_username = notfound
(2)   [preprocess] = ok
(2)   update request {
(2) EXPAND %{User-Name}
(2)    --> temp
(2) SQL-User-Name set to 'temp'
rlm_sql (sql): Reserved connection (4)
rlm_sql (sql): Executing query: 'SELECT groupname FROM radhuntgroup WHERE nasipaddress='192.168.10.201''
rlm_sql (sql): Released connection (4)
(2) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{Packet-Src-IP-Address}'}
(2)    --> hVPN
(2)     Huntgroup-Name := '"hVPN"'
(2)   } # update request = noop
(2)   switch &Huntgroup-Name {
(2)    case hVPN {
(2)      if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr")
(2) sql_groupcmp
(2) EXPAND %{User-Name}
(2)    --> temp
(2) SQL-User-Name set to 'temp'
rlm_sql (sql): Reserved connection (4)
(2) EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(2)    --> SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority
rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority'
(2) sql_groupcmp finished: User is a member of group vpn-usr
rlm_sql (sql): Released connection (4)
(2)      if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr")  -> TRUE
(2)     if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr")  {
(2)      [ok] = ok
(2)     } # if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr")  = ok
(2)      ... skipping elsif for request 2: Preceding "if" was taken
(2)      ... skipping else for request 2: Preceding "if" was taken
(2)    } # case hVPN = ok
(2)   } # switch &Huntgroup-Name = ok
(2)   [chap] = noop
(2)   [mschap] = noop
(2)   [digest] = noop
(2) suffix : No '@' in User-Name = "temp", looking up realm NULL
(2) suffix : No such realm "NULL"
(2)   [suffix] = noop
(2) eap : EAP packet type response id 2 length 63
(2) eap : No EAP Start, assuming it's an on-going EAP conversation
(2)   [eap] = updated
(2) sql : EXPAND %{User-Name}
(2) sql :    --> temp
(2) sql : SQL-User-Name set to 'temp'
rlm_sql (sql): Reserved connection (4)
(2) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(2) sql :    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'temp' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'temp' ORDER BY id'
(2) sql : User found in radcheck table
(2) sql : Check items matched
(2) sql : EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(2) sql :    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'temp' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radreply WHERE username = 'temp' ORDER BY id'
(2) sql : User found in radreply table
(2) sql : EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(2) sql :    --> SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority
rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority'
(2) sql : User found in the group table
(2) sql : EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id
(2) sql :    --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vpn-usr' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vpn-usr' ORDER BY id'
(2) sql : Group "vpn-usr" check items matched
(2) sql : EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id
(2) sql :    --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vpn-usr' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vpn-usr' ORDER BY id'
(2) sql : Group "vpn-usr" reply items processed
rlm_sql (sql): Released connection (4)
(2)   [sql] = ok
(2)   [expiration] = noop
(2)   [logintime] = noop
(2) WARNING: pap : Auth-Type already set.  Not setting to PAP
(2)   [pap] = noop
(2)  } #  authorize = updated
(2) Found Auth-Type = EAP
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2)   authenticate {
(2) eap : Expiring EAP session with state 0x5df2a0505cf0ba2e
(2) eap : Finished EAP session with state 0x5df2a0505cf0ba2e
(2) eap : Previous EAP request found for state 0x5df2a0505cf0ba2e, released from the list
(2) eap : Peer sent MSCHAPv2 (26)
(2) eap : EAP MSCHAPv2 (26)
(2) eap : Calling eap_mschapv2 to process EAP data
(2) eap_mschapv2 : # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2) eap_mschapv2 :  Auth-Type MS-CHAP {
(2) mschap : Found Cleartext-Password, hashing to create LM-Password
(2) mschap : Found Cleartext-Password, hashing to create NT-Password
(2) mschap : Creating challenge hash with username: temp
(2) mschap : Client is using MS-CHAPv2
(2) mschap : Adding MS-CHAPv2 MPPE keys
(2)   [mschap] = ok
(2)  } # Auth-Type MS-CHAP = ok
MSCHAP Success
(2) eap : New EAP session, adding 'State' attribute to reply 0x5df2a0505ff1ba2e
(2)   [eap] = handled
(2)  } #  authenticate = handled
Sending Access-Challenge Id 250 from 192.168.10.191:1812 to 192.168.10.201:59882
        Class = 0x6d79636c617373
        EAP-Message = 0x010300331a0302002e533d37433431313734354230434342434642433642443939384239313546374639354339443630303232
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x5df2a0505ff1ba2e07f74e7f5a56fbca
(2) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 251 from 192.168.10.201:59882 to 192.168.10.191:1812 length 156
        User-Name = 'temp'
        NAS-Port-Type = Virtual
        Service-Type = Framed-User
        NAS-Port = 5
        NAS-Port-Id = 'test1'
        NAS-IP-Address = 192.168.10.234
        Called-Station-Id = '192.168.10.234[4500]'
        Calling-Station-Id = '93.80.16.38[4500]'
        EAP-Message = 0x020300061a03
        NAS-Identifier = 'gateway'
        State = 0x5df2a0505ff1ba2e07f74e7f5a56fbca
        Message-Authenticator = 0x0651a29f80e0bee2a19fcbb7e6d6e58a
(3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(3)   authorize {
(3)   filter_username filter_username {
(3)     if (User-Name != "%{tolower:%{User-Name}}")
(3) EXPAND %{tolower:%{User-Name}}
(3)    --> temp
(3)     if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(3)     if (User-Name =~ / /)
(3)     if (User-Name =~ / /)  -> FALSE
(3)     if (User-Name =~ /@.*@/ )
(3)     if (User-Name =~ /@.*@/ )  -> FALSE
(3)     if (User-Name =~ /\\.\\./ )
(3)     if (User-Name =~ /\\.\\./ )  -> FALSE
(3)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(3)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(3)     if (User-Name =~ /\\.$/)
(3)     if (User-Name =~ /\\.$/)   -> FALSE
(3)     if (User-Name =~ /@\\./)
(3)     if (User-Name =~ /@\\./)   -> FALSE
(3)   } # filter_username filter_username = notfound
(3)   [preprocess] = ok
(3)   update request {
(3) EXPAND %{User-Name}
(3)    --> temp
(3) SQL-User-Name set to 'temp'
rlm_sql (sql): Reserved connection (4)
rlm_sql (sql): Executing query: 'SELECT groupname FROM radhuntgroup WHERE nasipaddress='192.168.10.201''
rlm_sql (sql): Released connection (4)
(3) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{Packet-Src-IP-Address}'}
(3)    --> hVPN
(3)     Huntgroup-Name := '"hVPN"'
(3)   } # update request = noop
(3)   switch &Huntgroup-Name {
(3)    case hVPN {
(3)      if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr")
(3) sql_groupcmp
(3) EXPAND %{User-Name}
(3)    --> temp
(3) SQL-User-Name set to 'temp'
rlm_sql (sql): Reserved connection (4)
(3) EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(3)    --> SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority
rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'temp' ORDER BY priority'
(3) sql_groupcmp finished: User is a member of group vpn-usr
rlm_sql (sql): Released connection (4)
(3)      if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr")  -> TRUE
(3)     if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr")  {
(3)      [ok] = ok
(3)     } # if (Service-Type == "Framed-User" && SQL-Group == "vpn-usr")  = ok
(3)      ... skipping elsif for request 3: Preceding "if" was taken
(3)      ... skipping else for request 3: Preceding "if" was taken
(3)    } # case hVPN = ok
(3)   } # switch &Huntgroup-Name = ok
(3)   [chap] = noop
(3)   [mschap] = noop
(3)   [digest] = noop
(3) suffix : No '@' in User-Name = "temp", looking up realm NULL
(3) suffix : No such realm "NULL"
(3)   [suffix] = noop
(3) eap : EAP packet type response id 3 length 6
(3) eap : EAP-MSCHAPV2 success, returning short-circuit ok
(3)   [eap] = ok
(3)  } #  authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(3)   authenticate {
(3) eap : Expiring EAP session with state 0x5df2a0505ff1ba2e
(3) eap : Finished EAP session with state 0x5df2a0505ff1ba2e
(3) eap : Previous EAP request found for state 0x5df2a0505ff1ba2e, released from the list
(3) eap : Peer sent MSCHAPv2 (26)
(3) eap : EAP MSCHAPv2 (26)
(3) eap : Calling eap_mschapv2 to process EAP data
(3) eap : Freeing handler
(3)   [eap] = ok
(3)  } #  authenticate = ok
(3) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(3)   post-auth {
(3) sql : EXPAND .query
(3) sql :    --> .query
(3) sql : Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(3) sql : EXPAND %{User-Name}
(3) sql :    --> temp
(3) sql : SQL-User-Name set to 'temp'
(3) sql : EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(3) sql :    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'temp', '', 'Access-Accept', '2014-05-24 16:02:04')
rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'temp', '', 'Access-Accept', '2014-05-24 16:02:04')'
rlm_sql (sql): Released connection (4)
(3)   [sql] = ok
(3)   [exec] = noop
(3)   remove_reply_message_if_eap remove_reply_message_if_eap {
(3)     if (reply:EAP-Message && reply:Reply-Message)
(3)     if (reply:EAP-Message && reply:Reply-Message)  -> FALSE
(3)    else else {
(3)     [noop] = noop
(3)    } # else else = noop
(3)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(3)  } #  post-auth = ok
Sending Access-Accept Id 251 from 192.168.10.191:1812 to 192.168.10.201:59882
        MS-MPPE-Encryption-Policy = Encryption-Allowed
        MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
        MS-MPPE-Send-Key = 0x49955e70c686fcc5f62abd7bac225266
        MS-MPPE-Recv-Key = 0x74a2ad3fd3b60c672a35d5c5ad028f3c
        EAP-Message = 0x03030004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = 'temp'
(3) Finished request
Waking up in 0.2 seconds.
Waking up in 4.6 seconds.
(0) Cleaning up request packet ID 248 with timestamp +15
(1) Cleaning up request packet ID 249 with timestamp +15
(2) Cleaning up request packet ID 250 with timestamp +15
(3) Cleaning up request packet ID 251 with timestamp +15
Ready to process requests.




23.05.2014 19:27, Alan DeKok пишет:
free.aaa wrote:
Request does not contain Class attribute indeed.
  You didn't show that in the debug log.

I thought that by using
construction like:
                update reply {
                    Class = "%{Class}"
                }
i can grab that attribute from mysql radreply table and insert it in the
reply.
  That comment makes no sense.

Anyway why attributes from radreply does not get inserted in
access-accept when using eap-mschapv2 by default?
  They should be.