control flow in FreeRADIUS authorize section

Bruce Bauman bbauman at oit.rutgers.edu
Wed Oct 2 23:06:05 CEST 2013 

We are getting unexpected behavior from FreeRADIUS 2.2.x (built from current git).

We want to check if a user is BLOCKED first, and only then do we want to perform some other checks.

Our current config looks like this:

authorize {
                #auth_log # uncomment for debugging

                # try to rewrite calling station ID to be sane
                rewrite_calling_station_id

                rewrite_username_lowercase

                # set VLANs for infected or tempsuspension roles

                IPSblocks_SQL {
                        # handle failures
                        notfound = 999
                        reject = 999
                }

                switch reply:RU-block-description {
                        case "infected" {
                                if(Airespace-Wlan-Id){
                                        update reply {
                                        Cisco-AVPair += "url-redirect=http://ruwireless.rutgers.edu/index.php?page=infected"
                                        Airespace-ACL-Name = "Cisco_infected"
                                        }
                                }
                                else {
                                        update reply {
                                        # try VLAN assignment
                                        Tunnel-Type := "VLAN"
                                        Tunnel-Medium-Type := "IEEE-802"
                                        Tunnel-Private-Group-Id := 1666
                                        }
                                }
                                # force accept regardless of password
                                update control {
                                       Auth-Type := "Accept"
                                }
                        ok
                        }

                        case "tempsus" {
                                update reply {
                                        # try VLAN assignment
                                        Tunnel-Type := "VLAN"
                                        Tunnel-Medium-Type := "IEEE-802"
                                        Tunnel-Private-Group-Id := 1666
                                }
                                # force accept regardless of password
                                update control {
                                       Auth-Type := "Accept"
                                }
                        ok
                        }
                        # default is to do nothing
                }

              <BUNCH OF OTHER UNLANG CODE>


The IPSblocks_SQL does set RU-block description correctly, and the case statement behaves as expected.

We want to stop executing the <BUNCH OF UNLANG CODE> in the first two cases ("infected" and "tempsus"), effectively doing something like a return.

I've read the documentation a hundred times and can't figure out how to do what I want - everything I've tried doesn't work.

If someone could give me a simple hint to point me in the right direction it would be greatly appreciated.

-- Bruce


Bruce Bauman - Systems Administrator
Rutgers University Office of Information Technology
Campus Computing Services - Central Systems and Services
Office ~ (848) 445-6363



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131002/f1b96084/attachment-0001.html>

More information about the Freeradius-Users mailing list