Using "Tunnel-Private-Group-Id" in linelog

Burger, Wolfgang wburger at
Wed Oct 23 15:52:01 CEST 2019

Dear freeradius-users,

I´m using FreeRADIUS Version 2.1.12 to dynamically set the VLAN-ID on some switches by client-mac-address.

Works like a charm.

I have to modify the logfiles and would like to use linelog.

This is my linelog config:

linelog vlanlog {

filename = ${logdir}/vlanlog

permissions = 0600

format = "This is a log message for %{User-Name}"

reference = "%{%{Packet-Type}:-format}"

Access-Request = "%S: %{reply:Packet-Type} AAA-VLAN-Request for %{User-Name} on %{NAS-Identifier} (%{NAS-IP-Address}) at Port %{NAS-Port-Id}. Put to VLAN %{reply:Tunnel-Private-Group-Id}"

Access-Reject = "Rejected access: %{User-Name}"

Access-Challenge = "Sent challenge: %{User-Name}"


And this is a Request and Reply for a VLAN-Request:

rad_recv: Access-Request packet from host port 1812, id=125, length=320

Framed-MTU = 1466

NAS-IP-Address =

NAS-Identifier = "Switch31"

User-Name = "0cc47a96a6af"

Service-Type = Call-Check

Framed-Protocol = PPP

NAS-Port = 41

NAS-Port-Type = Ethernet

NAS-Port-Id = "41"

Called-Station-Id = "00-16-b9-d1-01-d7"

Calling-Station-Id = "0c-c4-7a-96-a6-af"

Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"


MS-RAS-Vendor = 11

HP-Capability-Advert = 0x011a0000000b28

HP-Capability-Advert = 0x011a0000000b2e

HP-Capability-Advert = 0x011a0000000b30

HP-Capability-Advert = 0x011a0000000b3d

HP-Capability-Advert = 0x0138

HP-Capability-Advert = 0x013a

HP-Capability-Advert = 0x0140

HP-Capability-Advert = 0x0141

HP-Capability-Advert = 0x0151

server vlan {

# Executing section authorize from file /etc/freeradius/sites-enabled/VLAN

+- entering group authorize {...}

++[preprocess] returns ok

++? if (NAS-Identifier == "switch61" && NAS-Port-Id == "11")

? Evaluating (NAS-Identifier == "switch61" ) -> FALSE

? Skipping (NAS-Port-Id == "11")

++? if (NAS-Identifier == "switch61" && NAS-Port-Id == "11") -> FALSE

++- entering else else {...}

[vlan_by_macaddr] users: Matched entry DEFAULT at line 8465

+++[vlan_by_macaddr] returns ok

++- else else returns ok

[chap] WARNING: Auth-Type already set.  Not setting to CHAP

++[chap] returns noop

++[mschap] returns noop

[suffix] No '@' in User-Name = "0cc47a96a6af", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING: Auth-Type already set.  Not setting to PAP

++[pap] returns noop

Found Auth-Type = Accept

Auth-Type = Accept, accepting the user

Login OK: [0cc47a96a6af] (from client vlan_switch31 port 41 cli 0c-c4-7a-96-a6-af)

# Executing section post-auth from file /etc/freeradius/sites-enabled/VLAN

+- entering group post-auth {...}

[vlanlog] expand: %{Packet-Type} -> Access-Request

[vlanlog] expand: %{%{Packet-Type}:-format} -> Access-Request

[vlanlog] expand: /var/log/freeradius/vlanlog -> /var/log/freeradius/vlanlog

[vlanlog] expand: %S: %{reply:Packet-Type} AAA-VLAN-Request for %{User-Name} on %{NAS-Identifier} (%{NAS-IP-Address}) at Port %{NAS-Port-Id}. -> 2019-10-23 14:27:54: Access-Accept AAA-VLAN-Request for 0cc47a96a6af on Switch31 ( at Port 41.

++[vlanlog] returns ok

} # server vlan

Sending Access-Accept of id 125 to port 1812

Tunnel-Type:0 = VLAN

Tunnel-Medium-Type:0 = IEEE-802

Tunnel-Private-Group-Id:0 = "\0001"

Finished request 8.

Going to the next request

Waking up in 4.9 seconds.

Im calling vlanlog only in

post-auth {


Post-Auth-Type REJECT {





I would like to include the information in "Tunnel-Private-Group-Id" into the linelog.

I´ve tried to add %{reply:Tunnel-Private-Group-Id} to the linelog config.

But the result in vlanlog is:

2019-10-23 15:42:53: Access-Accept AAA-VLAN-Request for 0cc47a96a6af on Switch31 ( at Port 41. Put to VLAN

How can i include the information in "Tunnel-Private-Group-Id" of Access-Accept into the linelog logfile?

Thank you very much and best regards,


More information about the Freeradius-Users mailing list