RADIUS packets have User-Name attribute, not Account.
Changed filters to use ~*req.User-Name for matching.
Added *log flag to first processor for debugging.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CGRateS PAP has null-padding bug that requires newer version with
*strip fix. Using *authorize + *attributes instead of *radauth.
This checks if account exists (authorization) but does NOT verify
passwords (authentication). Same approach as the working sample.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Testing if *radauth + *pap works with hardcoded password "test"
before adding attributes complexity.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Each processor needs a request type flag (*none, *authorize, *radauth, etc.)
The *attributes flag is just a modifier, not a request type.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Two-processor approach:
1. AuthGetPassword: Fetches user password from attributes
2. AuthPAP: Uses *radauth + *pap with *strip:*suffix:*nil converter
to remove null padding from PAP passwords before comparison
Uses ~*req.User-Password{*strip:*suffix:*nil} as recommended by
CGRateS maintainers to fix the null-padding comparison bug.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CGRateS has a bug where PAP passwords are compared with null padding
intact ("test\0\0\0..." != "test"). Using *none flag to accept all
auth requests while returning Session-Timeout.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Single processor with hardcoded password "test" to verify PAP works.
Removed Acct-Interim-Interval (not in dictionary).
Once PAP works, will add attributes lookup.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
*dry_run was not recognized. Using *message which is a valid
request type that works with *attributes flag.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Two-step auth flow:
1. AuthGetPassword: Fetches password from attributes using *dry_run
2. AuthPAP: Performs PAP authentication with *radauth + *pap
Will add CHAP and MS-CHAPv1 after PAP is confirmed working.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CGRateS has a bug where *radauth + *mschapv2 looks for MS-CHAP-Response
(attribute 1) instead of MS-CHAP2-Response (attribute 25).
MikroTik sends MS-CHAP2-Response, causing MANDATORY_IE_MISSING error.
This workaround uses *event + *attributes to validate user existence
via attributes subsystem. The actual password validation is NOT done
server-side - MikroTik will handle MS-CHAPv2 locally.
TODO: Report bug to CGRateS - librad.go line 130 should use
MS-CHAP2-Response for MetaMSCHAPV2 case.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Removed *accounts flag and mandatory MaxUsage field that was causing
NOT_FOUND:MaxUsage error. Using fixed Session-Timeout instead.
First processor now just fetches attributes (password) for auth.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Two-processor approach:
1. MSCHAPv2GetPassword: Uses *authorize + *attributes to fetch password
from CGRateS attributes subsystem and get MaxUsage for session timeout
2. MSCHAPv2Auth: Uses *radauth + *mschapv2 to perform actual MS-CHAPv2
authentication with cryptographic proof (MS-CHAP2-Success)
The password is read from ~*cgrep.Attributes.Password (set via Attributes.csv)
and placed in *vars.UserPassword for the *radauth to use.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The processor must have a request type flag (*none, *authorize, *radauth, etc.)
not just *log. Without it, reqType stays empty and hits the default switch case
returning "unknown request type: <>".
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Changed context from *sessions to *any for all attribute profiles
- Created explicit filter definitions in Filters.csv
- Changed from inline filters to named filters (FLTR_ACCOUNT_*)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
