Alan DeKok wrote:
Nicolas Baradakis <nbk@sitadelle.com> wrote:
1. Allowing VSA in the reply packets is really a bug: if you have an existing username with a wrong password, the VSA useful to set up a connection were pulled from the database during autorize and are send in the reject packet.
That's more of a bug that the return attributes are set up before the user is fully authentication. They should be configured *after* authentication.
Until now it's the only method to get reply items from a SQL database: you have to use the "authorize_reply_query" directive. I'm not using LDAP, but I think this module adds VP to the reply packet during authorize, too. Is it reasonable to modify the SQL queries in version 2.0? We could get only the check items in authorize, and the reply items will be pulled later in post-auth. (only if login is successful) As the failed login attempts represent a significant part of the total RADIUS traffic, this should notably reduce the load of the backend database. (we don't query reply items if not needed) -- Nicolas Baradakis