Hi,
During a rebuild of our Radius servers from an old freeradius 1.x install to
2.1.10, we've lost ability to push multiple usergroups to our Cisco LNS:
MySQL:
radcheck:
id UserName Attribute op Value
9791 t...@realm Password := {clear}somepass
radgroupreply:
id GroupName Attribute op Value
161 VRF-TEST Cisco-AVPair += ip:vrf-id=TEST
162 VRF-TEST Cisco-AVPair += ip:ip-unnumbered=loopback25
2211 QOS-PROFILE Cisco-AVPair +=
ip:sub-qos-policy-out=TEST-QOS-PROFILE
radreply:
id UserName Attribute op Value
124561 t...@realm Framed-IP-Netmask = 255.255.255.255
124571 t...@realm Framed-IP-Address = 1.1.1.1
usergroup:
UserName GroupName priority
t...@realm VRF-TEST 1
t...@realm QOS-PROFILE 2
debugging Radius on the Cisco shows (amongst other things):
RADIUS: Vendor, Cisco [26] 21
RADIUS: Cisco AVpair [1] 15 "ip:vrf-id=TEST"
RADIUS: Vendor, Cisco [26] 35
RADIUS: Cisco AVpair [1] 29 "ip:ip-unnumbered=loopback25"
If you set QOS-PROFILE to priority 0 for example, it will then only pick up the
QOS-PROFILE usergroup, not both. Setting both usergroups to same priority
yeilds the same results; only applying the first, never both.
To rule out the Cisco i've performed a tcpdump on Radius itself; I can only see
freeradius sending one usergroup in the Access-Accept response.
This is also a fresh freeradius install via FreeBSD ports; no configuration was
carried over from the previous install except for MySQL DB credentials.
Thoughts?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
