Simple attribute question!

Franks Andy (RLZ) IT Systems Engineer Andy.Franks at sath.nhs.uk
Wed Aug 29 21:45:35 CEST 2012


Hi
	I have a seemingly simple thing I need to do, however it doesn't
seem to be working. In the users file I do a quick match to see if a
user is in the regex list I put in (this is for overrides of an ldap
group, determining higher privileges, but still basic access for the
group users), and then another regex checking against a certain ip range
:

DEFAULT User-Name =~ "frankdsa|everdstons|kirddksa|kefls",
NAS-IP-Address=~"192.168.104.*"
        Reply-Message += "Welcome %{User-Name}\n",
        Reply-Message += "Admin access",
        Cisco-AVPair := "shell:priv-lvl=15"

This adds a couple of reply messages when the user logs in. Of course
the users file is pre-auth so it doesn't care if the ultimate request
gets rejected or not based on authorization or some other check.
Therefore I've added this to the post-auth-type reject section of the
default virtual server:

Post-Auth-Type REJECT {
                update reply {
                Reply-Message := "Authentication failed}"
                }

It may be wiser to return nothing, i.e. Reply-Message := "" for security
reasons, but the point is that the reply-messages set in the users file
still pass through, so I get
Welcome (username)
Admin Access
Authentication Failed

All together. Am I doing something wrong? I also tried Reply-Message !*
, but this stopped the service firing up ( version 2.10 - I see this was
talked about being fixed in 2.8?), or

Reply-Message -= "%{reply:Reply-Message}"

Which didn't work either.

Any ideas?

Thanks
Andy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120829/25e83fa3/attachment.html>


More information about the Freeradius-Users mailing list