Hello everyone, I'm using freeradius 2.0.4 with a ldap server as a backend for authentication of users to our wireless network. I've defined two ldap "servers" in the radiusd.conf file: ..... ldap ldap_uba { server = "ldap_server" basedn = "dc=uba,dc=ar" filter = "(&(description=wireless)(mail=%{Stripped-User-Name:-%{User-Name}}))" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no } ldap ldap_ccc { server = "ldap_server" basedn = "ou=CCC,dc=uba,dc=ar" filter = "(&(description=wireless)(mail=%{Stripped-User-Name:-%{User-Name}}))" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no } .............. I want to switch between them based on the NAS-IP-Address of the arriving request, so I've used unlang in the authorize section: authorize { unix mschap eap { ok = return } files switch "%{NAS-IP-Address}" { case 192.168.168.11 { ldap_ccc } case { ldap_uba } } expiration logintime auth_log pap } Well, my problem is that freeradius doesn't assign or expand the NAS-IP-Address attribute with the correct value of the NAS IP which is requesting for authentication, could anyone help me with this little issue? POST of the debug mode of freeradius: rad_recv: Access-Request packet from host 192.168.168.11 port 1041, id=6, length=279 Message-Authenticator = 0x341f20c2e434d8cbd92d85defa321b38 Service-Type = Framed-User User-Name = "diego@ccc.uba.ar\000" Framed-MTU = 1488 State = 0x12b38bc817b592297c4cea524b70e440 Called-Station-Id = "00-13-46-7A-DB-63:REDI-UBA VLAN12" Calling-Station-Id = "00-02-72-78-90-5B" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0206003b1900170301003091d34cda32a72417c4e5e093d71f2d82fc67e0f1f3dc1483aec15e433d54c5c950e88c2f64c3fd6d8ddf656af63496d1 NAS-IP-Address = 192.168.168.11 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Looking up realm "ccc.uba.ar" for User-Name = "diego@ccc.uba.ar" rlm_realm: No such realm "ccc.uba.ar" ++[suffix] returns noop rlm_eap: EAP packet type response id 6 length 59 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - diego@ccc.uba.ar PEAP: Got tunneled EAP-Message EAP-Message = 0x0206001501646965676f406363632e7562612e6172 PEAP: Got tunneled identity of diego@ccc.uba.ar PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to diego@ccc.uba.ar PEAP: Sending tunneled request EAP-Message = 0x0206001501646965676f406363632e7562612e6172 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "diego@ccc.uba.ar" server inner-tunnel { +- entering group authorize ++[unix] returns notfound ++[mschap] returns noop rlm_eap: EAP packet type response id 6 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop expand: %{NAS-IP-Address} -> ++- entering switch %{NAS-IP-Address} +++- entering case rlm_ldap: - authorize rlm_ldap: performing user authorization for diego@ccc.uba.ar WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (&(description=wireless)(mail=%{Stripped-User-Name:-%{User-Name}})) -> (&(description=wireless)(mail=diego@ccc.uba.ar)) expand: dc=uba,dc=ar -> dc=uba,dc=ar rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.ccc.uba.ar:389, authentication 0 rlm_ldap: bind as / to ldap.ccc.uba.ar:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=uba,dc=ar, with filter (&(description=wireless)(mail=diego@ccc.uba.ar)) rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute userPassword as RADIUS attribute Cleartext-Password == "pepe1234" rlm_ldap: looking for reply items in directory... rlm_ldap: user diego@ccc.uba.ar authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++++[ldap_uba] returns ok +++- case returns ok ++- switch %{NAS-IP-Address} returns ok ++[expiration] returns noop ++[logintime] returns noop expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.168.11/auth-detail-20090528 rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.168.11/auth-detail-20090528 expand: %t -> Thu May 28 12:33:26 2009 ++[auth_log] returns ok rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x0107002a1a0107002510a707e4f41d139b10e7d9860e8e17a80e646965676f406363632e7562612e6172 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x48fe8ac948f9909b9915b8554a615778 PEAP: Processing from tunneled session code 0x8623f78 11 EAP-Message = 0x0107002a1a0107002510a707e4f41d139b10e7d9860e8e17a80e646965676f406363632e7562612e6172 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x48fe8ac948f9909b9915b8554a615778 PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 6 to 192.168.168.11 port 1041 EAP-Message = 0x0107004b190017030100409a85d96e6b404149561fbe6dfb464b692f986263d5215ec98e2d84f3c1961a462dbd097150d5bba0e0f8b29fe80e038f691dee73f0352576d1cec4fe36d9a3eb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x12b38bc814b492297c4cea524b70e440 Finished request 6. After making some test, debugging and drink lot of coffee I've solved the problem usign this fragment of code: switch "%{Client-IP-Address}" { case 192.168.168.11 { ldap_ccc } case { ldap_uba } } Freeradius does expand the Client-IP-Address attribute, however, I would like to know why it doesn't expand the NAS-IP-Adress attribute. Sorry for my english and lot of thanks......... -- Diego Martín Capello Administrador RedUBA Centro de Comunicación Científica Universidad de Buenos Aires