Hi, We are having a problem with a freeradius migration, from two different servers. The first (old) 1.x : is OK On the new server (freeradius 3.0.12) FreeRadius select the user's radreply but don't send them in the "Access-Accept" We compared "sites-enabled/default" from the old and new, and didn't find differences in "authorize {" and "preprocess {" Bellow the Freeradius -X request : Ready to process requests (0) Received Access-Request Id 212 from 4.5.6.7:20506 to 1.2.3.4:1812 length 179 (0) Acct-Session-Id = "008fe531" (0) NAS-Port = 0 (0) NAS-Port-Type = Virtual (0) User-Name = "MY-NAS-ID" (0) Calling-Station-Id = "01-02-03-04-05-06" (0) Called-Station-Id = "11-12-13-14-15-16" (0) Framed-IP-Address = 192.168.3.254 (0) User-Password = "mypassword" (0) NAS-Identifier = "MY-NAS-ID" (0) NAS-IP-Address = 10.0.50.1 (0) Framed-MTU = 1496 (0) Connect-Info = "HTTPS" (0) Service-Type = Administrative-User (0) Message-Authenticator = 0x26fc427cba3a98946382a756c6659634 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) [preprocess] = ok (0) update request { (0) EXPAND %{User-Name} (0) --> MY-NAS-ID (0) SQL-User-Name set to 'MY-NAS-ID' rlm_sql (sql): Reserved connection (0) (0) Executing select query: SELECT groupname FROM radhuntgroup WHERE nasipaddress="MY-NAS-ID" rlm_sql (sql): Released connection (0) rlm_sql (sql): Need 5 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10 (0) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress="%{NAS-Identifier}"} (0) --> my-nas-id-group (0) &Huntgroup-Name := my-nas-id-group (0) } # update request = noop (0) if (&Huntgroup-Name == "%{sql:SELECT groupname FROM radusergroup WHERE username="%{User-Name}"}"){ (0) EXPAND %{User-Name} (0) --> MY-NAS-ID (0) SQL-User-Name set to 'MY-NAS-ID' rlm_sql (sql): Reserved connection (1) (0) Executing select query: SELECT groupname FROM radusergroup WHERE username="MY-NAS-ID" rlm_sql (sql): Released connection (1) (0) EXPAND %{sql:SELECT groupname FROM radusergroup WHERE username="%{User-Name}"} (0) --> my-nas-id-group (0) if (&Huntgroup-Name == "%{sql:SELECT groupname FROM radusergroup WHERE username="%{User-Name}"}") -> TRUE (0) if (&Huntgroup-Name == "%{sql:SELECT groupname FROM radusergroup WHERE username="%{User-Name}"}") { (0) [ok] = ok (0) } # if (&Huntgroup-Name == "%{sql:SELECT groupname FROM radusergroup WHERE username="%{User-Name}"}") = ok (0) ... skipping else: Preceding "if" was taken (0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log: --> /var/log/freeradius/radacct/4.5.6.7/auth-detail-20190927 (0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/4.5.6.7/auth-detail-20190927 (0) auth_log: EXPAND %t (0) auth_log: --> Fri Sep 27 11:58:20 2019 (0) [auth_log] = ok (0) [chap] = noop (0) [mschap] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "MY-NAS-ID", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [unix] = notfound (0) sql: EXPAND %{User-Name} (0) sql: --> MY-NAS-ID (0) sql: SQL-User-Name set to 'MY-NAS-ID' rlm_sql (sql): Reserved connection (2) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'MY-NAS-ID' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'MY-NAS-ID' ORDER BY id (0) sql: User found in radcheck table (0) sql: Conditional check items matched, merging assignment check items (0) sql: Cleartext-Password := "mypassword" (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'MY-NAS-ID' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'MY-NAS-ID' ORDER BY id (0) sql: User found in radreply table, merging reply items (0) sql: Colubris-AVPair == "access-list=loginserver,DENY,all,192.168.0.0/18,all" (0) sql: Colubris-AVPair == "access-list=loginserver,DENY,all,172.16.0.0/12,all" (0) sql: Colubris-AVPair == "access-list=loginserver,DENY,all,10.0.0.0/8,all" (0) sql: Colubris-AVPair == "access-list=loginserver,ACCEPT,tcp,www.mydomain.com,all" (0) sql: Colubris-AVPair == "use-access-list=loginserver" (0) sql: Colubris-AVPair == "logo=https://webportail.mydomain.com/directory/logo.gif" (0) sql: Colubris-AVPair == "fail-page=https://webportail.mydomain.com/directory/fail.html" (0) sql: Colubris-AVPair == "session-page=https://webportail.mydomain.com/directory/session.html" (0) sql: Colubris-AVPair == "messages=https://webportail.mydomain.com/directory/messages.txt" (0) sql: Colubris-AVPair == "transport-page=https://webportail.mydomain.com/directory/transport.html" (0) sql: Colubris-AVPair == "login-err-url=https://webportail.mydomain.com/directory/login-error.php" (0) sql: Colubris-AVPair == "goodbye-url=https://webportail.mydomain.com/directory/goodbye.php" (0) sql: Colubris-AVPair == "login-url=https://webportail.mydomain.com/directory/index.php?mac=%m" (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = 'MY-NAS-ID' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'MY-NAS-ID' ORDER BY priority (0) sql: User found in the group table (0) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (0) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'my-nas-id-group' ORDER BY id (0) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'my-nas-id-group' ORDER BY id (0) sql: Group "my-nas-id-group": Conditional check items matched (0) sql: Group "my-nas-id-group": Merging assignment check items (0) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id (0) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'my-nas-id-group' ORDER BY id (0) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'my-nas-id-group' ORDER BY id (0) sql: Group "my-nas-id-group": Merging reply items rlm_sql (sql): Released connection (2) (0) [sql] = ok (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known good" Cleartext-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) reply_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d (0) reply_log: --> /var/log/freeradius/radacct/4.5.6.7/reply-detail-20190927 (0) reply_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/4.5.6.7/reply-detail-20190927 (0) reply_log: EXPAND %t (0) reply_log: --> Fri Sep 27 11:58:20 2019 (0) [reply_log] = ok (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (3) (0) sql: EXPAND %{User-Name} (0) sql: --> MY-NAS-ID (0) sql: SQL-User-Name set to 'MY-NAS-ID' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'MY-NAS-ID', 'mypassword', 'Access-Accept', '2019-09-27 11:58:20') (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'MY-NAS-ID', 'mypassword', 'Access-Accept', '2019-09-27 11:58:20') (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (3) (0) [sql] = ok (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = ok (0) Login OK: [MY-NAS-ID/mypassword] (from client MY_CLIENT-WAN-IP port 0 cli 01-02-03-04-05-06) (0) Sent Access-Accept Id 212 from 1.2.3.4:1812 to 4.5.6.7:20506 length 0 (0) Finished request Waking up in 4.9 seconds. Regards, -- /Thibault Lansiaux/