FreeRadius can't set custom variable

Question

We want to setup StrongSwan VPN with FreeRadius for authentication. In addition to that we want to assign different subnets to users based on AD-Groups. StrongSwan uses the class attribute in a access-accept reply for that (https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius).

To my knowledge it is possible to use custom attributes in FreeRadius to store data used during the reply/proxy/control… process and send that back to StrongSwan.

Unfortunately this is not working in our FreeRadius environment and the custom attribute stays empty. It is however possible to access attributes already existing in the reply list.

This configuration for example sends back an empty Variable Reply-Message.

/etc/raddb/dictionary:

ATTRIBUTE       test                    3000    string

/etc/raddb/users

DEFAULT test = “TESTTEST”

/etc/raddb/sites-enabled/default

…
post-auth {
…
update reply {
                Reply-Message := "%{control:test}"
}  
…
}

Log-Output:

(11)     [exec] = noop
(11)     policy remove_reply_message_if_eap {
(11)       if (&reply:EAP-Message && &reply:Reply-Message) {
(11)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(11)       else {
(11)         [noop] = noop
(11)       } # else = noop
(11)     } # policy remove_reply_message_if_eap = noop
(11)     update reply {
(11)       EXPAND %{control:test}
(11)          -->
(11)       Reply-Message :=
(11)     } # update reply = noop
(11)   } # post-auth = noop
(11) Sent Access-Accept Id 5 from 127.0.0.1:1812 to 127.0.0.1:50913 length 0
(11)   MS-MPPE-Recv-Key = 0xd23e4723df9ff904741b91827518aaa48dcbca27204024965d37fdb6bece0270
(11)   MS-MPPE-Send-Key = 0x4e7de0fc944a5114ab435df43fa943901870741a86571e3ccddef11b82e406e1
(11)   EAP-Message = 0x03050004
(11)   Message-Authenticator = 0x00000000000000000000000000000000
(11)   User-Name = "raduser"
(11)   Reply-Message  := ""
(11) Finished request

FreeRADIUS Version 3.0.19

According to this guides, the configuration above should work:

• returning custom user attributes in the radius reply
• https://serverfault.com/questions/939980/freeradius-return-user-groups-in-class-field

Is there anything we’re missing? Thanks in advance.

Answer 1

Your reply message should be formatted as

 Reply-Message := "Hello, %{User-Name}"

In your configuration file, you defined DEFAULT test = “TESTTEST” but in reply message you have mentioned "%{control:test}".

please try with it.