add attribute when proxying

Alan DeKok aland at
Thu Jun 29 18:46:12 CEST 2017

On Jun 29, 2017, at 11:33 AM, denis <den.zinevich at> wrote:
> Thanks for info, as it usually happens in life - figured out just after
> asking. Attributes 1000-1199 are never sent, was not obvious though...

  Those limitations are part of the RADIUS protocol, not FreeRADIUS.

  The general idea is to send attributes the other end understands, in which case the attributes are already defined.

> Just for experiment I picked random (and unused in my case) +/- suitable
> attr from rfc list - Connect-Info, and ‚Äčit worked fine.
> I know that I can't invent attr, it must be in dictionary, this is clear
> from docs. It took time to understand why Tmp-String is not sent.

  If it works for you...

> Business case itself if:
> I have lots of servers configured exactly same way, they run vpn daemons,
> which in turn use radius.
> each of that servers has property - "premium" which defines if client can
> or can't connect to specific server
> So my idea is to pass 1/0 flag in any suitable attribute, and home/main
> freeradius server in turn will pass that to script which performs auth,
> this way main server will know to which one user is connecting.

  If it's a site-local attribute, you can create vendor-specific attributes.  That's what those are for.

  Alan DeKok.

More information about the Freeradius-Users mailing list