FR 3.0 doesn't return Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-Id in Access-Accept

Nick Porter nick at
Thu Jan 6 10:02:08 CET 2022

Hi  Alex

There are two changes I think you need to make:

1. In the inner-tunnel virtual server there is a block wrapped in "if 
(0)" - change that to "if (1)" to ensure copy the appropriate reply 
attributes from the inner tunnel to the outer session list.

Then in the default virtual server, in the post-auth section, ensure you 

update {
     &reply := &session-state

2. Remove the call to the files module in the authorize section of the 
default virtual server - that is what is putting the attributes in the 
Access-Challenge packets.

If you are authenticating other types of users which are not using a 
tunnelled EAP method, and that authentication relies on data in the 
users file, then I would define a different instance of the files module 
for the EAP-PEAP user and use that instance in the inner-tunnel.


On 06/01/2022 00:07, Alex Zetaeffesse wrote:
> Hi,
> I configured a user as follows in /etc/freeradius/3.0/users
> # PEAP Cisco
> cisco at realm.local  Cleartext-password := realm123
>       Tunnel-Type=VLAN,
>       Tunnel-Medium-Type=IEEE-802,
>       Tunnel-Private-Group-Id = "VLAN103"
> I see FR sends such attributes in the second Access-Challenge but not in
> the Access-Accept.
> Therefore our 9800 puts the client in the default VLAN.
> Most probably it's a FR misconfiguration but I wouldn't know why and where
> in the config to fix it.
> I have attached the debugs from freeradius -X and the captures.
> Hope somebody can point me in the right direction.
> Alex
> -
> List info/subscribe/unsubscribe? See

Nick Porter

Porter Computing Ltd
Registered in England No 12659380

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Freeradius-Users mailing list