Using postauth_users and Access-Reject

Alan DeKok aland at deployingradius.com
Mon Aug 9 08:31:55 CEST 2010


Peter Lambrechtsen wrote:
> Using FreeRadius 2.1.7 and trying to get the postauth_users to return an
> access reject however it always seems to return either a noop or ok.
..
> And this is what is in my postauth_users file:
> 
> DEFAULT Auth-Type := REJECT
>         Post-Auth-Type = Reject,

  Hmm... you are trying to change the *authentication* type to reject
after the *authenticate* section has been executed.  This won't work.

> Ideally I would assume if the Auth-Type := Reject then the return should
> be "RLM_MODULE_REJECT".

  No.  Setting "Auth-Type := Reject" is useful ONLY in the "authorize"
section, *before* the "authentication" section has been run.  It doesn't
reject the user immediately.  Instead, it tells the server to run the
"reject" authentication method.

> Since otherwise I think I will need to lookup if the Reply-Message is
> set to disabled, and then do a reject.

  No.

  If you want the post-auth section to return "reject", just put
"reject" into the list of modules to be run:

post-auth {
	...
	reject
	...
}

  See "man unlang" for details.

  Alan DeKok.



More information about the Freeradius-Users mailing list