Unreliable Dynamic VLAN Assignment?

[Palmer J.D.F.]

Hi,

We're having a bit of a problem with FreeRADIUS not always including
VLAN information in access-accept packets; I've not been able as yet to
establish what the cause is so I thought I'd throw it out to the list if
there's something others have come across.
Needless to say our testing through the summer had not highlighted this
issue, but now we have 3000 students trying to connect it's become
apparent.  

A bit of info, we're seeing this issue in both FR 2.1.1 and 2.1.7, and
our NASes are Cisco WiSM.
Users' VLAN info is stored in the SQL usergroup table.
I have an sql.athorize statement in the Post-Auth section of both the
default (outer), and inner-tunnel conf files.

Initially I thought it was only clients with an anonymised outer
identity that were having this issue, which seemed plausible as the
sql.athourize in default would see the outer and fail to find it in sql
(though wouldn't explain why it works sometimes); but it appears not to
just these users, as we're now seeing users who are not using anon
outers having the same issue.

Another thought was that fast-reauth could be the issue, in that somehow
a fast-reauth request was not doing a Post-Auth sql.authorize and
therefore not sending back the VLAN info?

I fully expect it's a config issue, but any insight would be gratefully
received.

Currently I do not have CCKM enabled on the controllers, but for some
time I have been considering enabling this to take some load off RADIUS,
and also wondered if it would help this current problem. Is there
anything to be wary of with CCKM?

Many thanks,
Jezz Palmer.