multiple usergroups failing; freeradius 2.1.10 + Cisco-AVPairs

michael at michael at
Thu Dec 16 01:33:46 CET 2010

 During a rebuild of our Radius servers from an old freeradius 1.x install to 2.1.10, we've lost ability to push multiple usergroups to our Cisco LNS:
id 	UserName 	Attribute 	op 	Value
9791 	test at realm 	Password 	:= 	{clear}somepass

id 	GroupName 	Attribute 	op 	Value
161 	VRF-TEST 	Cisco-AVPair 	+= 	ip:vrf-id=TEST
162 	VRF-TEST 	Cisco-AVPair 	+= 	ip:ip-unnumbered=loopback25
2211 	QOS-PROFILE 	Cisco-AVPair 	+= 	ip:sub-qos-policy-out=TEST-QOS-PROFILE

id 	UserName 	Attribute 	op 	Value
124561 	test at realm 	Framed-IP-Netmask 	=
124571 	test at realm 	Framed-IP-Address 	=

UserName 	GroupName 	priority
test at realm 	VRF-TEST 	1
test at realm 	QOS-PROFILE 	2

debugging Radius on the Cisco shows (amongst other things):
RADIUS:  Vendor, Cisco       [26]  21
RADIUS:   Cisco AVpair       [1]   15  "ip:vrf-id=TEST"
RADIUS:  Vendor, Cisco       [26]  35
RADIUS:   Cisco AVpair       [1]   29  "ip:ip-unnumbered=loopback25"

If you set QOS-PROFILE to priority 0 for example, it will then only pick up the QOS-PROFILE usergroup, not both. Setting both usergroups to same priority yeilds the same results; only applying the first, never both.

To rule out the Cisco i've performed a tcpdump on Radius itself; I can only see freeradius sending one usergroup in the Access-Accept response.
This is also a fresh freeradius install via FreeBSD ports; no configuration was carried over from the previous install except for MySQL DB credentials.


More information about the Freeradius-Users mailing list