redirecting REJECTed users

Fri Feb 12 23:03:14 CET 2016

On 2/12/16 1:03 PM, Arran Cudbard-Bell wrote:

> authenticate {
> 	Auth-Type perl {
> 		perl {
> 			reject = 1
> 		}
> 		if (reject) {
> 			# do extra things here
> 		}
> 	}
> }
> 
> The NAS probably won't allow assignment unless you send back an accept though.

Exactly, however it looks like Auth-Type has to be something in the
dictionary from this error:

Fri Feb 12 13:35:58 2016 : Auth: (0) Login incorrect (perl: Failed to
create pair control:Auth-Type = Unknown-User):

This perl module code does what I'm trying to do:

sub authorize {
        if (!defined($RAD_CHECK{'Auth-Type'})) {
            &radiusd::radlog(L_DBG, "No Auth-Type,setting to Local to
default to suspended pool");
            $RAD_CHECK{'Auth-Type'} = 'Local';
        }

        return RLM_MODULE_OK;
}

sub authenticate {
        # if user found, Auth-Type will be set to PAP
        if ($RAD_CHECK{'Auth-Type'} eq 'PAP') {
            # but if they give a bad password, put them in suspended pool
            if ($RAD_REQUEST{'User-Password'} ne
$RAD_CHECK{'Cleartext-Password'}) {
                &radiusd::radlog(L_ERR, "Invalid password: " .
$RAD_REQUEST{'User-Name'} . "/" . $RAD_REQUEST{'User-Password'});
                $RAD_CHECK{'Pool-Name'} = "suspended";
            }
        } else {
            # and if they don't even exist, put them in suspended pool too
            &radiusd::radlog(L_ERR, "Unknown user: " .
$RAD_REQUEST{'User-Name'});
            $RAD_CHECK{'Pool-Name'} = "suspended";
        }

        return RLM_MODULE_OK;
}

with this in the site config:

authorize {
...
#       pap
        perl
}

authenticate {
        Auth-Type PAP {
                perl
        }
        Auth-Type Local {
                perl
        }
}