ERROR: Invalid vendor name in attribute name "radiusCheckItem"

Alan DeKok aland at deployingradius.com
Sun Dec 20 18:08:59 CET 2015 

On Dec 20, 2015, at 10:43 AM, Amir Tal <amir at ccc.co.il> wrote:
> Using freeradius 2.1.12 on centos 5
> Users are saved in LDAP, accounting data in MySQL.

  OK.  Though it would be better to use a version of the server which isn't 5 years old.

> We are looking to implement IP addresses allocation in radius, using Rlm_sqlippool.
> Already implemented sql host with pool data (added sqlippool to /etc/raddb/sites-enabled/default) , working as expected.

  That's good.

> We do not want to add pool info the LDAP entries, but have the radius assign a pool according to other (existing) parameters.
> 
> Added the following to 'post-auth' of /etc/raddb/sites-enabled/default (users with radiusReplyItem of certain type should get a radiusCheckItem with pool name):
> ...
>        if ( radiusReplyItem =~ /fast/i ) {
>                update request {
>                        radiusCheckItem := "Pool-Name := test_pool"

  Huh?  What is what?  You can't just randomly invent names and use them.

  The things you're checking are RADIUS attributes names.  See "man unlang".  This is documented.

> Two issues exists with this :

  1) it's completely wrong

  2) because it's wrong, it will never do what you want

> 1.       Condition is never met, even for users that have :
> 
> radiusReplyItem = "Framed-Pool:=fast"

  Please read the docs.  The "radiusReplyItem" is a field in LDAP.  The configuration above sets the *RADIUS* attribute named "Framed-Pool" to have value "fast".

  It does *not* let you do checks against a "radiusReplItem" thing.

> 2.       Cannot even start radius with this syntax, I get an error:
> 
> Sun Dec 20 17:37:41 2015 : Error: /usr/local/etc/raddb/sites-enabled/default[483]: ERROR: Invalid vendor name in attribute name "radiusCheckItem"

  That should give you a hint that the configuration is invalid.

> How can this be used for 'radiusCheckItem' and 'radiusReplyItem' ? it this possible at all?

  I have no idea what you think 'radiusCheckItem' and 'radiusReplyItem' are doing.

  Read the documentation for the LDAP module:

http://wiki.freeradius.org/modules/Rlm_ldap

  That should make it clear how things work.

  Alan DeKok.

More information about the Freeradius-Users mailing list