advice for breaking an array of vendor attributes into local attributes and updating a database

Matthew Newton mcn at
Wed Feb 17 00:10:31 CET 2021

On 16/02/2021 22:53, Matt Zagrabelny via Freeradius-Users wrote:
> I receive an accounting packet from a Cisco NAS. It has an array of
> Cisco-AVPair tuples that FR processes.

Ah yes, Cisco's standard "can't be bothered to create proper 
dictionaries" junk.

> I am hoping to break out the various
> Cisco-AVPair tuples into key-value pairs to insert into a database. I am
> starting with a single (and specific) Cisco-AVPair.
> Snippets of freeradius -X follows...
> Here is the AVP in the accounting packet...
> (23)   Cisco-AVPair = "mdm-tlv=device-platform-version=10.0.18363 "

Generally speaking you can update /etc/raddb/dictionary and add a new 
entry that matches the "fake" Cisco key, e.g.

   ATTRIBUTE mdm-tlv 3000 string

Then edit raddb/mods-enabled/preprocess and set

   with_cisco_vsa_hack = yes

and call 'preprocess' in authorize (or accounting, if you need it there).

You'll then get a new request attribute &mdm-tlv with the values from 
the Cisco-AVPair attribute.

Given they've been doubly stupid and used two ='s in that string then 
you may come unstuck there, but if it's the only attribute in that 
format then this might solve it. Just add a local attribute for each of 
the names they used.

Some of their equipment has options to use real attributes instead of 
the braindead stuff, so you might be able to dig around and find an 
option to turn that on instead.

> Am I using the wrong section in my default site for attempting to set a
> local (internal) attribute?

Internal attributes are no different from other attributes, they just 
can't get sent out on the wire.

Use the debug policies to view what's happening at a particular time, e.g.




see policys.d/debug

> I know that I am using "update reply" in my unlang. That doesn't feel
> correct for accounting unlang, but I'll need correction or confirmation in
> that area.

It'll get cleared before the response is sent, so it's fine to use as a 
temporary location.


More information about the Freeradius-Users mailing list