Client-Shortname Attribute can only be queried, and cannot be assigned.

Alan DeKok aland at
Sat Aug 28 00:08:17 CEST 2021

On Aug 27, 2021, at 5:29 PM, Jonathan Davis <jonathan at> wrote:
> I was scratching my head to understand why, in the authorize section of a virtual server, this worked:
> switch Client-Shortname {

  See "man unlang".  The default is for the "switch" statement to treat Client-Shortname as an attribute reference, if the attribute exists.  This is for compatibility with older versions.

 So you should really be using

	switch &Client-Shortname {

  and arguably the server should warn you about *not* including the &.  I'll push a fix to highlight this.

> But this did not:
> update control {
>         Pam-Auth := Client-Shortname

  That just assigned the string "Client-Shortname" to the PAM-Auth attribute.  If you want the value, you have to use:

	PAM-Auth := "%{Client-Shortname}"

or tell the assignment that you're referring to an attribute:

	PAM-Auth := &Client-Shortname

> And remembering my previous question, started combing through the docs on unlang, attributes, and hit on run-time variables where it says Client-Shortname is a meta-attributes that can only be queried, and cannot be assigned. Which I take it is why the second one does not work?

  No, it's just an artifact of historical issues.

> I can keep going with the switch case, but I am wondering if this is the a bad solution? Can attributes or variables be set at the client level which are accessible? Should I use a dictionary option? I know I need to dig deeper, but a nudge (either towards good, or away from bad) would be appreciated.

  It's fine.

  Alan DeKok.

More information about the Freeradius-Users mailing list