Radius attributes not sent

Sat Jan 18 00:25:08 UTC 2025

Hello,

I have created a user like this

> select * from radcheck where id=3;
+----+----------+--------------------+----+----------+
| id | username | attribute          | op | value    |
+----+----------+--------------------+----+----------+
|  3 | tata     | Cleartext-Password | := | passtata |
+----+----------+--------------------+----+----------+

> select * from radreply where id=3;
+----+----------+--------------+----+-------+
| id | username | attribute    | op | value |
+----+----------+--------------+----+-------+
|  3 | tata     | Fall-Through | =  | Yes   |
+----+----------+--------------+----+-------+

> select * from radusergroup;
+----+----------+-----------+----------+
| id | username | groupname | priority |
+----+----------+-----------+----------+
|  1 | tata     | admin     |        1 |
+----+----------+-----------+----------+

> select * from radgroupreply;
+----+-----------+-------------------------+----+----------+
| id | groupname | attribute               | op | value    |
+----+-----------+-------------------------+----+----------+
|  1 | admin     | Tunnel-Type             | == | VLAN     |
|  2 | admin     | Tunnel-Medium-Type      | == | IEEE-802 |
|  3 | admin     | Tunnel-Private-Group-Id | == | 9        |
+----+-----------+-------------------------+----+----------+

But when I make my radius test request the Access accept is sent but not the other attributes

# radtest tata passtata 127.0.0.1 1812 testing123
Sent Access-Request Id 54 from 0.0.0.0:39af to 127.0.0.1:1812 length 74
        User-Name = "tata"
        User-Password = "passtata"
        NAS-IP-Address = 10.127.2.210
        NAS-Port = 1812
        Message-Authenticator = 0x00
        Cleartext-Password = "passtata"
Received Access-Accept Id 54 from 127.0.0.1:714 to 127.0.0.1:14767 length 20

In my debug logs my attributes are retrieved but not sent

(2) Received Access-Request Id 54 from 127.0.0.1:14767 to 127.0.0.1:1812 length 74
(2)   User-Name = "tata"
(2)   User-Password = "passtata"
(2)   NAS-IP-Address = 10.127.2.210
(2)   NAS-Port = 1812
(2)   Message-Authenticator = 0xbea8f8a6107528be29765e63e58d0a3d
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> FALSE
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(2)         if (&User-Name =~ /\.$/)  {
(2)         if (&User-Name =~ /\.$/)   -> FALSE
(2)         if (&User-Name =~ /@\./)  {
(2)         if (&User-Name =~ /@\./)   -> FALSE
(2)       } # if (&User-Name)  = notfound
(2)     } # policy filter_username = notfound
(2)     [preprocess] = ok
(2)     [chap] = noop
(2)     [mschap] = noop
(2)     [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "tata", looking up realm NULL
(2) suffix: No such realm "NULL"
(2)     [suffix] = noop
(2) eap: No EAP-Message, not doing EAP
(2)     [eap] = noop
(2)     [files] = noop
(2) sql: EXPAND %{User-Name}
(2) sql:    --> tata
(2) sql: SQL-User-Name set to 'tata'
rlm_sql (sql): Reserved connection (5)
(2) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(2) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'tata' ORDER BY id
(2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'tata' ORDER BY id
(2) sql: User found in radcheck table
(2) sql: Conditional check items matched, merging assignment check items
(2) sql:   Cleartext-Password := "passtata"
(2) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(2) sql:    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'tata' ORDER BY id
(2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'tata' ORDER BY id
(2) sql: User found in radreply table, merging reply items
(2) sql:   Fall-Through = Yes
(2) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(2) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'tata' ORDER BY priority
(2) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'tata' ORDER BY priority
(2) sql: User found in the group table
(2) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(2) sql:    --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'admin' ORDER BY id
(2) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'admin' ORDER BY id
(2) sql: Group "admin": Conditional check items matched
(2) sql: Group "admin": Merging assignment check items
(2) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(2) sql:    --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'admin' ORDER BY id
(2) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'admin' ORDER BY id
(2) sql: Group "admin": Merging reply items
(2) sql:   Tunnel-Type == VLAN
(2) sql:   Tunnel-Medium-Type == IEEE-802
(2) sql:   Tunnel-Private-Group-Id == "9"
rlm_sql (sql): Released connection (5)
Need more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (7), 1 of 29 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radiusdb' on Localhost via UNIX socket, server version 10.9.8-MariaDB, protocol version 10
rlm_sql (sql): Closing expired connection (6) - Hit idle_timeout limit
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): You probably need to lower "min"
rlm_sql (sql): Closing expired connection (0) - Hit idle_timeout limit
rlm_sql_mysql: Socket destructor called, closing socket
(2)     [sql] = ok
(2)     [expiration] = noop
(2)     [logintime] = noop
(2)     [pap] = updated
(2)   } # authorize = updated
(2) Found Auth-Type = PAP
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2)   Auth-Type PAP {
(2) pap: Login attempt with password
(2) pap: Comparing with "known good" Cleartext-Password
(2) pap: User authenticated successfully
(2)     [pap] = ok
(2)   } # Auth-Type PAP = ok
(2) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(2)   post-auth {
(2)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
(2)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name))  -> FALSE
(2)     update {
(2)       No attributes updated for RHS &session-state:
(2)     } # update = noop
(2) sql: EXPAND .query
(2) sql:    --> .query
(2) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (5)
(2) sql: EXPAND %{User-Name}
(2) sql:    --> tata
(2) sql: SQL-User-Name set to 'tata'
(2) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S.%M' )
(2) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( 'tata', 'passtata', 'Access-Accept', '2025-01-18 01:21:24.187903' )
(2) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate ) VALUES ( 'tata', 'passtata', 'Access-Accept', '2025-01-18 01:21:24.187903' )
(2) sql: SQL query returned: success
(2) sql: 1 record(s) updated
rlm_sql (sql): Released connection (5)
(2)     [sql] = ok
(2)     [exec] = noop
(2)     policy remove_reply_message_if_eap {
(2)       if (&reply:EAP-Message && &reply:Reply-Message) {
(2)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(2)       else {
(2)         [noop] = noop
(2)       } # else = noop
(2)     } # policy remove_reply_message_if_eap = noop
(2)     if (EAP-Key-Name && &reply:EAP-Session-Id) {
(2)     if (EAP-Key-Name && &reply:EAP-Session-Id)  -> FALSE
(2)   } # post-auth = ok
(2) Login OK: [tata] (from client localhost port 1812)
(2) Sent Access-Accept Id 54 from 127.0.0.1:1812 to 127.0.0.1:14767 length 20
(2) Finished request
Waking up in 4.9 seconds.
(2) Cleaning up request packet ID 54 with timestamp +6200 due to cleanup_delay was reached
Ready to process requests

I don't have any filters in place
# grep filt /etc/raddb/radiusd.conf

What could be the problem ?