VSA attributes sent with Access-Reject response

Contact (COEXSI) contact at coexsi.fr
Fri May 16 22:26:44 CEST 2014


> Contact (COEXSI) wrote:
> > For filtering the Access-Challenge response when doing EAP, I've these
> > lines
> > (commented) in the default configuration:
> >
> > #	Auth-Type eap {
> > #		eap {
> > #			handled = 1
> > #		}
> > #		if (handled && (Response-Packet-Type == Access-Challenge)) {
> > #			attr_filter.access_challenge.post-auth
> > #			handled  # override the "updated" code from
> > attr_filter
> > #		}
> > #	}
> >
> > When uncommenting them, I've a configuration parsing error:
> >
> > Failed to find "handled" in the "modules" section.
> 
>   Because you edited the configuration, and removed "always" from
> raddb/modules.  It has the definition for "handled".
> 

Yes, we had removed the "always" module as we didn't think it was for
production purpose.
At the beginning of its configuration file, we can read it's used for
debugging:

# The "always" module is here for debugging purposes. Each
# instance simply returns the same result, always, without
# doing anything.

After adding the "always" module, the configuration is parsed without error.
But, the VSA are still sent along with the EAP-MD5 Access-Challenge
response!

>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list