many thanks for your reply , actually this is my post auth config post-auth { exec sql Post-Auth-Type REJECT { sql attr_filter.access_reject } } and this the log when I do this configuration it is not run the SQL module after exec in reject type rlm_sql (sql): Released connection (0) (0) [sql] = ok (0) if (User-Name =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) { (0) if (User-Name =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:.]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) -> FALSE (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known good" Cleartext-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section session from file /usr/local/etc/raddb/sites-enabled/default (0) session { (0) sql: EXPAND %{User-Name} (0) sql: --> abhibose (0) sql: SQL-User-Name set to 'abhibose' rlm_sql (sql): Reserved connection (2) (0) sql: EXPAND SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL (0) sql: --> SELECT COUNT(*) FROM radacct WHERE username = 'abhibose' AND acctstoptime IS NULL (0) sql: Executing select query: SELECT COUNT(*) FROM radacct WHERE username = 'abhibose' AND acctstoptime IS NULL rlm_sql (sql): Released connection (2) (0) [sql] = ok (0) } # session = ok (0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (0) post-auth { (0) exec: Executing: /usr/bin/php /var/www/html/cloudradius/captiveportal/auth_new.php "abhibose" "1234" "4e:f9:5e:77:0c:9a" "102" "103.200.57.138" "PPP" "192.168.0.1" "" "nas" : (0) exec: ERROR: Program returned code (1) and output 'Reply-Message :="Your Account has been expired."' (0) [exec] = reject (0) } # post-auth = reject (0) Delaying response for 1.000000 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 146 from 127.0.0.1:1812 to 127.0.0.1:54425 length 52 (0) Reply-Message := "Your Account has been expired." Waking up in 3.9 seconds. [1562314050593] ________________________________ From: Alan DeKok <aland@deployingradius.com> Sent: Saturday, October 3, 2020 7:22:29 PM To: FreeRadius users mailing list Cc: Muhammed Buvaydani Subject: Re: Run sql Module after exec in radpostauth On Oct 3, 2020, at 11:01 AM, Muhammed Buvaydani via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I am using external php script for authentication which I configured in users file , the PHP script will return the reason of the reject and I want to save this reason in radpost auth table, the problem is if I set SQL module before exec and the user was accepted as PAP but rejected from my script then the radpost auth will have access-accept even if he is rejected by my PHP script , this is the debug
Move "sql" to after "exec" then.
so if I put SQL module after exec , then the sqk will not run at all .
Yes, you can also list "sql" in the "Post-Auth-Type Reject" section. Which will log the reject. Alan DeKok.