radius property mappings: use of RFC attributes results in "Failed to evaluate property-mapping" error #16993
Description
Describe the bug
A clear and concise description of what the bug is.
To Reproduce
Steps to reproduce the behavior:
- In the authentik source lookup an RFC attribute from
authentik/providers/radius/dictionaries/dictionaryand choose one, e.g. Class - Create a radius provider property mapping
- In the expression use the chosen attribute, for example:
Important here is to use the syntax as shown in https://docs.goauthentik.io/add-secure-apps/providers/radius/#radius-attributes
packet["Class"] = "0x1234" return packet - Assign property mapping to radius provider
- Test Radius property mapping
- See "Failed to evaluate property-mapping" error in the Logs
Expected behavior
There should be a way to use RFC attributes.
Logs
authentik-server-1 | {"action": "configuration_error", "auth_via": "session", "client_ip": null, "context": {"exception": [{"exc_notes": [], "exc_type": "PropertyMappingExpressionException", "exc_value": "", "exceptions": [], "frames": [{"filename": "/authentik/providers/radius/api/providers.py", "lineno": 138, "locals": {"define_attribute": "'<function RadiusOutpostConfigViewSet.get_attributes.<locals>.define_attribute at'+16", "dict": "<pyrad.dictionary.Dictionary object at 0x7feddef6d300>", "exc": "PropertyMappingExpressionException()", "mapper": "<authentik.lib.sync.mapper.PropertyMappingManager object at 0x7feddef6d710>", "packet": "AuthPacket()", "provider": "<RadiusProvider: Radius Provider Radius Outpost>", "self": "'<authentik.providers.radius.api.providers.RadiusOutpostConfigViewSet object at 0'+14"}, "name": "get_attributes"}, {"filename": "/authentik/lib/sync/mapper.py", "lineno": 75, "locals": {"kwargs": "{'packet': AuthPacket()}", "mapping": "'<authentik.core.expression.evaluator.PropertyMappingEvaluator object at 0x7fedf8'+7", "request": "\"<rest_framework.request.Request: GET '/api/v3/outposts/radius/22/check_access/?a\"+16", "return_mapping": "False", "self": "<authentik.lib.sync.mapper.PropertyMappingManager object at 0x7feddef6d710>", "user": "<SimpleLazyObject: <User: myuser>>"}, "name": "iter_eval"}], "is_cause": false, "is_group": false, "syntax_error": null}, {"exc_notes": [], "exc_type": "TypeError", "exc_value": "startswith first arg must be str or a tuple of str, not bytes", "exceptions": [], "frames": [{"filename": "/authentik/lib/sync/mapper.py", "lineno": 71, "locals": {"kwargs": "{'packet': AuthPacket()}", "mapping": "'<authentik.core.expression.evaluator.PropertyMappingEvaluator object at 0x7fedf8'+7", "request": "\"<rest_framework.request.Request: GET '/api/v3/outposts/radius/22/check_access/?a\"+16", "return_mapping": "False", "self": "<authentik.lib.sync.mapper.PropertyMappingManager object at 0x7feddef6d710>", "user": "<SimpleLazyObject: <User: myuser>>"}, "name": "iter_eval"}, {"filename": "/authentik/core/expression/evaluator.py", "lineno": 87, "locals": {"args": "('packet[\"Class\"] = \"0x1234\"\\nreturn packet',)", "kwargs": "{}", "self": "'<authentik.core.expression.evaluator.PropertyMappingEvaluator object at 0x7fedf8'+7"}, "name": "evaluate"}, {"filename": "/authentik/lib/expression/evaluator.py", "lineno": 261, "locals": {"_locals": "\"{'request': <PolicyRequest user=myuser obj=Radius Provider Property Mapp\"+365", "ast_obj": "<code object <module> at 0x7fedf7febe10, file \"Class-Test\", line 1>", "expression_source": "'packet[\"Class\"] = \"0x1234\"\\nreturn packet'", "self": "'<authentik.core.expression.evaluator.PropertyMappingEvaluator object at 0x7fedf8'+7", "span": "\"<Span(op='authentik.lib.evaluator.evaluate', description:'Class-Test', trace_id=\"+131"}, "name": "evaluate"}, {"filename": "/Class-Test", "lineno": 4, "locals": {"handler": "<function handler at 0x7fedf7f5da80>", "http_request": "\"<rest_framework.request.Request: GET '/api/v3/outposts/radius/22/check_access/?a\"+16", "packet": "AuthPacket()", "request": "'<PolicyRequest user=myuser obj=Radius Provider Property Mapping Class-Te'+113", "user": "<SimpleLazyObject: <User: myuser>>"}, "name": "<module>"}, {"filename": "/Class-Test", "lineno": 2, "locals": {"packet": "AuthPacket()", "request": "'<PolicyRequest user=myuser obj=Radius Provider Property Mapping Class-Te'+113"}, "name": "handler"}, {"filename": "/ak-root/.venv/lib/python3.13/site-packages/pyrad/packet.py", "lineno": 359, "locals": {"item": "'0x1234'", "key": "'Class'", "self": "AuthPacket()"}, "name": "__setitem__"}, {"filename": "/ak-root/.venv/lib/python3.13/site-packages/pyrad/packet.py", "lineno": 279, "locals": {"_": "''", "attr": "<pyrad.dictionary.Attribute object at 0x7fedf4627750>", "key": "25", "self": "AuthPacket()", "tag": "''", "values": "['0x1234']"}, "name": "_EncodeKeyValues"}, {"filename": "/ak-root/.venv/lib/python3.13/site-packages/pyrad/packet.py", "lineno": 254, "locals": {"attr": "<pyrad.dictionary.Attribute object at 0x7fedf4627750>", "result": "''", "self": "AuthPacket()", "value": "'0x1234'"}, "name": "_EncodeValue"}, {"filename": "/ak-root/.venv/lib/python3.13/site-packages/pyrad/tools.py", "lineno": 185, "locals": {"datatype": "'octets'", "value": "'0x1234'"}, "name": "EncodeAttr"}, {"filename": "/ak-root/.venv/lib/python3.13/site-packages/pyrad/tools.py", "lineno": 24, "locals": {"str": "'0x1234'"}, "name": "EncodeOctets"}], "is_cause": true, "is_group": false, "syntax_error": null}], "mapping": {"app": "authentik_providers_radius", "model_name": "radiusproviderpropertymapping", "name": "Class-Test", "pk": "5924a578fba3450eb77ad4b9b1855ef0"}, **"message": "Failed to evaluate property-mapping"**}, "domain_url": "server", "event": "Created Event", "host": "server:9443", "level": "info", "logger": "authentik.events.models", "pid": 20995, "request_id": "c4f540d249d74c4ca6f68af583a52efb", "schema_name": "public", "timestamp": "2025-09-25T10:17:41.635584", "user": {}}
Version and Deployment (please complete the following information):
- authentik version: 2025.8.3
- Deployment: docker-compose