Hi all, I am using FreeRADIUS for quite some time now, though I can't wrap my mind around one thing: When a module (say, mschap with ntlm_auth) returns REJECT because of the user is not present in the AD, I want to continue processing the request to, let's say, accept the request, but provide an alternative VLAN (Tunnel-Id) to the endpoint. In chapter 16.3.1 of http://networkradius.com/doc/FreeRADIUS-Implementation-Ch16.pdf, section "Return Codes as Modules", it clearly states: * reject: Causes the request to be immediately rejected So my question boils down to: How can I use the mscap module to check whether a user is valid, and somehow anticipate that he/she does not exist, and continue with an alternate processing (read: decide later on whether to accept/reject the user) in such a case. I thank you very much in advance, and I appreciate your answer. For full reference, I included my current setup with explainations: --- Using EAP-PEAPv0 -> valid user credentials should result in an accept with AV-Pair list A and invalid credentials should result in Accept but AV-Pair list B Example: Using EAP-PEAP Login OK Sending Accept and Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = "22" Login failed Sending Accept and Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = "33" I want to control the result via a manipulated control attribute AcnACLType. I set these attibutes from withing rlm_perl: ########### Snippet Perl Policy ############################### if ( $RAD_CHECK{'AcnACLType'} eq "data" ) { $RAD_CHECK{'Auth-Type'}= "Accept"; $RAD_REPLY{'Reply-Message'}= "data"; $RAD_REPLY{'Tunnel-Medium-Type'}= "IEEE-802"; $RAD_REPLY{'Tunnel-Private-Group-Id'}= "22"; $RAD_REPLY{'Tunnel-Type'}= "VLAN"; return RLM_MODULE_OK; } elsif ( $RAD_CHECK{'AcnACLType'} eq "authfail" ) { $RAD_CHECK{'Auth-Type'}= "Accept"; $RAD_REPLY{'Reply-Message'}= "AuthFail"; $RAD_REPLY{'Tunnel-Medium-Type'}= "IEEE-802"; $RAD_REPLY{'Tunnel-Private-Group-Id'}= "33"; $RAD_REPLY{'Tunnel-Type'}= "VLAN"; return RLM_MODULE_OK; } ########### Snippet Perl Policy ############################### In case of MSCHAP authenticating, everything works as expected: ===================Begin LOG ================================ Wed Jun 18 09:59:50 2014 : Info: [eap] processing type mschapv2 Wed Jun 18 09:59:50 2014 : Info: [mschapv2] # Executing group from file /home/auconet/freeradius/test/CSI/etc/raddb//sites-enabled/inner-tunnel Wed Jun 18 09:59:50 2014 : Info: [mschapv2] +- entering group MS-CHAP {...} Wed Jun 18 09:59:50 2014 : Info: [mschap] Creating challenge hash with username: pschmidt Wed Jun 18 09:59:50 2014 : Info: [mschap] Told to do MS-CHAPv2 for pschmidt with NT-Password Wed Jun 18 09:59:50 2014 : Info: [mschap] expand: --domain=%{mschap:NT-Domain} -> --domain=testlab.auconet.lan Wed Jun 18 09:59:50 2014 : Info: [mschap] expand: --username=%{mschap:User-Name} -> --username=pschmidt Wed Jun 18 09:59:50 2014 : Info: [mschap] Creating challenge hash with username: pschmidt Wed Jun 18 09:59:50 2014 : Info: [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=9499863a8977daa3 Wed Jun 18 09:59:50 2014 : Info: [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=161b24c676d1a53738cdb10037111c81f1fe1d4d5407266a Wed Jun 18 09:59:50 2014 : Debug: Exec-Program output: NT_KEY: 00D98A4AFC1CD84EED151A5ECAD45886 Wed Jun 18 09:59:50 2014 : Debug: Exec-Program-Wait: plaintext: NT_KEY: 00D98A4AFC1CD84EED151A5ECAD45886 Wed Jun 18 09:59:50 2014 : Debug: Exec-Program: returned: 0 Wed Jun 18 09:59:50 2014 : Info: ++[mschap] returns ok Wed Jun 18 09:59:50 2014 : Info: ++? if (ok) Wed Jun 18 09:59:50 2014 : Info: ? Evaluating (ok) -> TRUE Wed Jun 18 09:59:50 2014 : Info: ++? if (ok) -> TRUE Wed Jun 18 09:59:50 2014 : Info: ++- entering if (ok) {...} Wed Jun 18 09:59:50 2014 : Info: +++[control] returns ok Wed Jun 18 09:59:50 2014 : Info: ++- if (ok) returns ok Wed Jun 18 09:59:50 2014 : Info: ++ ... skipping elsif for request 20: Preceding "if" was taken Wed Jun 18 09:59:50 2014 : Debug: MSCHAP Success Wed Jun 18 09:59:50 2014 : Info: ++[eap] returns handled } # server inner-tunnel Wed Jun 18 09:59:50 2014 : Info: ++[control] returns ok : Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair Tunnel-Type = VLAN Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802 Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair Message-Authenticator = 0x00000000000000000000000000000000 Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair User-Name = testlab.auconet.lan\\pschmidt Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair MS-MPPE-Recv-Key = 0x8a6959f6fd9e2f85fadce413f5691ba0ade9bd80d6fee90893d598bfc978a1d5 Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair EAP-Message = 0x030b0004 Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair EAP-EMSK = 0x97d3f6e398c284127ee6ad52d55d8a0e609e453971050f546c964193d18dae3c0d74518ef466560670426f120bae29e1c268494e07b5c13ce67033c7135a08d3 Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair Tunnel-Private-Group-Id = 22 Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair AcnACLType = data Wed Jun 18 09:59:50 2014 : Debug: rlm_perl: Added pair Auth-Type = Accept Wed Jun 18 09:59:50 2014 : Info: ++[perlpolicy] returns ok Wed Jun 18 09:59:50 2014 : Info: # Executing section post-auth from file /home/auconet/freeradius/test/CSI/etc/raddb//sites-enabled/default Wed Jun 18 09:59:50 2014 : Info: +- entering group post-auth {...} Wed Jun 18 09:59:50 2014 : Info: ++[exec] returns noop Sending Access-Accept of id 11 to 127.0.0.1 port 38368 Reply-Message = "AuthFail" MS-MPPE-Send-Key = 0x8cc588be92973040e5f09c8ebdc30ea4480a717aaf984fdf8182c3c6c5ffbfa8 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "testlab.auconet.lan\\pschmidt" MS-MPPE-Recv-Key = 0x8a6959f6fd9e2f85fadce413f5691ba0ade9bd80d6fee90893d598bfc978a1d5 EAP-Message = 0x030b0004 Tunnel-Private-Group-Id:0 = "22" Wed Jun 18 09:59:50 2014 : Info: Finished request 22. =============================== END LOG ===================================== My problem begins if the credentials are invalid. In this case inner-tunnel returns with "REJECT" and then there seems to be no way to change this into an "ACCEPT". My feeling at this point is that I miss an important concept in the way FreeRADIUS processes requests. Here is a snippet from inner-tunnel section: ############### SNIP ########################## authenticate { Auth-Type EAP { eap { ok = 1 reject = return fail=return } # if (ok) { update control { Auth-Type := "Accept" AcnACLType="data" } } elsif (reject) { update control { Auth-Type := "Accept" AcnACLType="authfail" LogMessage := "RadiusReject" } auconetLog } } ########################## End Inner tunnel ########################### and in default server ############################ Default Server ########################### Auth-Type EAP { eap { ok = 1 reject = return invalid =1 } if (ok) { update control { #Auth-Type := "Accept" AcnACLType := "data" } #update reply { # Tunnel-Type := VLAN # Tunnel-Medium-Type := IEEE-802 # Tunnel-Private-Group-Id := "22" #} } elsif (reject || invalid ) { update control { AcnACLType := "authfail" LogMessage := "RadiusReject" Auth-Type := "Accept" } auconetLog update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-Id := "33" } } update control { FreeRADIUS-Client-Shortname="%{Client-Shortname}" } perlpolicy } ###################################################### The log is: ================ LOG Begin =================================== Wed Jun 18 10:48:04 2014 : Info: [eap] processing type mschapv2 Wed Jun 18 10:48:04 2014 : Info: [mschapv2] # Executing group from file /home/auconet/freeradius/test/CSI/etc/raddb//sites-enabled/inner-tunnel Wed Jun 18 10:48:04 2014 : Info: [mschapv2] +- entering group MS-CHAP {...} Wed Jun 18 10:48:04 2014 : Info: [mschap] Creating challenge hash with username: radiusfail Wed Jun 18 10:48:04 2014 : Info: [mschap] Told to do MS-CHAPv2 for radiusfail with NT-Password Wed Jun 18 10:48:04 2014 : Info: [mschap] No NT-Domain was found in the User-Name. Wed Jun 18 10:48:04 2014 : Info: [mschap] expand: --domain=%{mschap:NT-Domain} -> --domain= Wed Jun 18 10:48:04 2014 : Info: [mschap] expand: --username=%{mschap:User-Name} -> --username=radiusfail Wed Jun 18 10:48:04 2014 : Info: [mschap] Creating challenge hash with username: radiusfail Wed Jun 18 10:48:04 2014 : Info: [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=3fc42259705d168a Wed Jun 18 10:48:04 2014 : Info: [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=1a7a459b40d3527944a7aadcdf32a499c097cf0dc1c296ad Wed Jun 18 10:48:04 2014 : Debug: Exec-Program output: Logon failure (0xc000006d) Wed Jun 18 10:48:04 2014 : Debug: Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Wed Jun 18 10:48:04 2014 : Debug: Exec-Program: returned: 1 Wed Jun 18 10:48:04 2014 : Info: [mschap] External script failed. Wed Jun 18 10:48:04 2014 : Info: [mschap] FAILED: MS-CHAP2-Response is incorrect Wed Jun 18 10:48:04 2014 : Info: ++[mschap] returns reject Wed Jun 18 10:48:04 2014 : Info: [eap] Freeing handler Wed Jun 18 10:48:04 2014 : Info: ++[eap] returns reject <<<<<< Wed Jun 18 10:48:04 2014 : Info: Failed to authenticate the user. } # server inner-tunnel Wed Jun 18 10:48:04 2014 : Info: [peap] Got tunneled reply code 3 MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Wed Jun 18 10:48:04 2014 : Info: [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Wed Jun 18 10:48:04 2014 : Info: [peap] Tunneled authentication was rejected. Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair State = 0xe26df394eb67ea7b6c664f076e6e6a50 Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Calling-Station-Id = 02:00:00:00:00:01 Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Message-Authenticator = 0x6ab434e42ece49cdb13eb90438443c03 Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair User-Name = radiusfail Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair EAP-Message = 0x020a0050190017030100208c1c20ac2dcb12e53b8a57d494b40657b43bd5019ca84e352e57a1069a1176a917030100209ed7b46fa6d167c1aacf327ae328c70674c366c0ddeceab26e7ba5232f3b029e Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair EAP-Type = PEAP Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair NAS-IP-Address = 127.0.0.1 Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Framed-MTU = 1400 Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Reply-Message = AuthFail Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair EAP-Message = 0x040a0004 Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802 Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Tunnel-Type = VLAN Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Tunnel-Private-Group-Id = 33 Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Message-Authenticator = 0x00000000000000000000000000000000 Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair FreeRADIUS-Client-Shortname = localhost Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair LogMessage = RadiusReject Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair AcnACLType = authfail Wed Jun 18 10:48:04 2014 : Debug: rlm_perl: Added pair Auth-Type = Accept Wed Jun 18 10:48:04 2014 : Info: ++[perlpolicy] returns ok Wed Jun 18 10:48:04 2014 : Info: # Executing section post-auth from file /home/auconet/freeradius/test/CSI/etc/raddb//sites-enabled/default Wed Jun 18 10:48:04 2014 : Info: +- entering group post-auth {...} Wed Jun 18 10:48:04 2014 : Info: ++[exec] returns noop Wed Jun 18 10:48:04 2014 : Info: Using Post-Auth-Type Reject Wed Jun 18 10:48:04 2014 : Info: # Executing group from file /home/auconet/freeradius/test/CSI/etc/raddb//sites-enabled/default Wed Jun 18 10:48:04 2014 : Info: +- entering group REJECT {...} Wed Jun 18 10:48:04 2014 : Info: ++- group REJECT returns noop Wed Jun 18 10:48:04 2014 : Info: Delaying reject of request 10 for 1 seconds Wed Jun 18 10:48:04 2014 : Debug: Going to the next request Wed Jun 18 10:48:04 2014 : Debug: Waking up in 0.9 seconds. Wed Jun 18 10:48:05 2014 : Info: Sending delayed reject for request 10 Sending Access-Reject of id 10 to 127.0.0.1 port 51730 Reply-Message = "AuthFail" EAP-Message = 0x040a0004 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "33" Message-Authenticator = 0x00000000000000000000000000000000 Wed Jun 18 10:48:05 2014 : Debug: Waking up in 3.9 seconds. ================= LOG End ===================================== My naïve idea is to instead send an Access-Accept with a Tunnel-Id of 11. I disabled the filter in Post-Auth-Type REJECT { #attr_filter.access_reject } to see attributes from my perl-policy. Thanks