Thanks for the response Alan. I tested it and it worked. Just made a small change as below to apply the accept to guest account only. I just would like to understand why (purpose) one needs to set 'reject=1'? If I remove the statement the policy doesn't work. Auth-Type PAP { pap{ reject=1 } if (reject && User-Name == "guest") { accept } } Thanks Steven On Wed, 8 Feb 2023 at 14:00, <freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit https://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: kqueue support (work vlpl) 2. Re: kqueue support (Alan DeKok) 3. Respond with access-accept when password incorrect (Steven Walters) 4. Re: Respond with access-accept when password incorrect (Alan DeKok)
----------------------------------------------------------------------
Message: 1 Date: Tue, 7 Feb 2023 14:01:58 +0100 From: work vlpl <thework.vlpl@gmail.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: kqueue support Message-ID: < CAPt3fZjsrb3hGzMLd5+WcOsBpmwF9oskA2p5QEu9K_1PjGz18w@mail.gmail.com> Content-Type: text/plain; charset="UTF-8"
On Mon, 6 Feb 2023 at 22:05, Matthew Newton via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
You don't need kqueue for FreeRADIUS < v4, so there is no need to build
it.
I am confused a bit, I know I don't need kqueue to compile versions 3.0.x and 3.2.x. But can I compile it? I want to try to use kqueue instead of select.
------------------------------
Message: 2 Date: Tue, 7 Feb 2023 08:07:01 -0500 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: kqueue support Message-ID: <0CC83890-26F3-4C42-A3A4-A95A55FF6591@deployingradius.com> Content-Type: text/plain; charset=us-ascii
On Feb 7, 2023, at 8:01 AM, work vlpl <thework.vlpl@gmail.com> wrote:
I am confused a bit, I know I don't need kqueue to compile versions 3.0.x and 3.2.x. But can I compile it? I want to try to use kqueue instead of select.
You have the source code. Go look. It's how everyone else learned.
If you don't have time to understand the source code, then there's no point in trying to switch FreeRADIUS to use kqueue.
This list is for people using FreeRADIUS, not for people learning how kqueue works.
Alan DeKok.
------------------------------
Message: 3 Date: Tue, 7 Feb 2023 23:01:58 +0200 From: Steven Walters <steven.walters1@gmail.com> To: freeradius-users@lists.freeradius.org Subject: Respond with access-accept when password incorrect Message-ID: <CALF=EMLEFyzGukeZRb45=X86= VdrRUkBZPzT7cDhWW4tTk5XYQ@mail.gmail.com> Content-Type: text/plain; charset="UTF-8"
Hi
We have guest broadband user accounts. I would like RADIUS to respond with access-accept on PAP even if the password is incorrect. I will then write to the database to indicate the session has an incorrect password and allow the PPPoE to connect to the internet.
This will allow the agent to access the CPE to update the password.
What is the best way to achieve this, that is to respond with an authentication success even if the password is incorrect for a specific username?
Regards Steven
------------------------------
Message: 4 Date: Tue, 7 Feb 2023 16:13:52 -0500 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Respond with access-accept when password incorrect Message-ID: <1D55996B-2930-483F-9535-0D05C7CE8A84@deployingradius.com> Content-Type: text/plain; charset=us-ascii
On Feb 7, 2023, at 4:01 PM, Steven Walters <steven.walters1@gmail.com> wrote:
We have guest broadband user accounts. I would like RADIUS to respond
with
access-accept on PAP even if the password is incorrect. I will then write to the database to indicate the session has an incorrect password and allow the PPPoE to connect to the internet.
This will allow the agent to access the CPE to update the password.
What is the best way to achieve this, that is to respond with an authentication success even if the password is incorrect for a specific username?
You can just use the "accept" policy:
authorize { ... accept }
And it will accept the user.
If you're actually checking passwords, it will have to be a bit different:
authenticate { ... Auth-Type pap { pap { reject = 1 }
if (reject) { accept }
}
}
Though I would strongly recommend putting these users into a limited VLAN. They should have access to update the password, but shouldn't be allowed to connect to the internet.
Alan DeKok.
------------------------------
Subject: Digest Footer
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
End of Freeradius-Users Digest, Vol 214, Issue 6 ************************************************
-- Warm Regards Steven Walters 0814287179