Virtual server can't set reply attributes

Fri Sep 5 13:44:49 CEST 2014

Paul wrote:
> My configuration include two local virtual servers for two differnt
> realms. Everything was fine on freeradius 2.2.5.

  OK.

> Now I try to move configuration to the release 3 (3.0.4 rc2).
> I have a problem with attributes set on the local virual server.
> These attributes found in the SQL, but not returned to the NAS with
> Access-Accept. (debug output below)
> User 'test1' has own attribute in the radreply SQL table:
> SELECT * FROM radreply WHERE username = 'test1';
> +------+----------+--------------+----+------------------------------------------------+
> | id   | username | attribute    | op | value
>                 |
> +------+----------+--------------+----+------------------------------------------------+
> | 8880 | test1    | Cisco-AVPair | += | "Cisco-AVPair +=
> "ip:inacl=ACL_VIRT_SECURE_IN" |
> +------+----------+--------------+----+------------------------------------------------+

  That's wrong.  Why are you using Cisco-AVPair twice?  It should be:

	Cisco-AVPair
	+=
	"ip:inacl=ACL_VIRT_SECURE_IN"

> (0)  sql : EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
> (0)  sql :    --> test1
> (0)  sql : SQL-User-Name set to 'test1'
> rlm_sql (sql): Reserved connection (4)
> (0)  sql : EXPAND SELECT id, username, attribute, value, op FROM
> radcheck WHERE username = BINARY '%{SQL-User-Name}' ORDER BY id
> (0)  sql :    --> SELECT id, username, attribute, value, op FROM
> radcheck WHERE username = BINARY 'test1' ORDER BY id
> rlm_sql (sql): Executing query: 'SELECT id, username, attribute,
> value, op FROM radcheck WHERE username = BINARY 'test1' ORDER BY id'
> (0)  sql : User found in radcheck table
> (0)  sql : Check items matched

  That's good.

> (0)  sql : EXPAND SELECT id, username, attribute, value, op FROM
> radreply WHERE username = BINARY '%{SQL-User-Name}' ORDER BY id
> (0)  sql :    --> SELECT id, username, attribute, value, op FROM
> radreply WHERE username = BINARY 'test1' ORDER BY id
> rlm_sql (sql): Executing query: 'SELECT id, username, attribute,
> value, op FROM radreply WHERE username = BINARY 'test1' ORDER BY id'
> (0)  sql : User found in radreply table

  That's good.

> (0)  sql : EXPAND SELECT groupname FROM radusergroup WHERE username =
> BINARY '%{SQL-User-Name}' ORDER BY priority
> (0)  sql :    --> SELECT groupname FROM radusergroup WHERE username =
> BINARY 'test1' ORDER BY priority
> rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup
> WHERE username = BINARY 'test1' ORDER BY priority'
> (0)  sql : User not found in any groups

  That shouldn't matter.

> rlm_sql (sql): Released connection (4)
> rlm_sql (sql): Closing connection (0), from 1 unused connections
> rlm_sql_mysql: Socket destructor called, closing socket

  That's not good.  It looks like the "pool" configuration is wrong.
The module should NOT be closing connections immediately.

> (0) Sending Access-Accept packet to host x.x.53.4 port 1645, id=38, length=0
> Sending Access-Accept Id 38 from x.x.52.133:1812 to x.x.53.4:1645
> (0) Finished request
> Waking up in 0.3 seconds.
> (...)

  OK... and what does the debug log look like for 2.2.5?  Are you using
the same SQL tables?  Or different ones?

  Alan DeKok.