Norbert Wegener wrote:
If fear not...
Hmm... if this is in the "authenticate" section, then the rules are different. The authenticate section is processed by selecting *one* module / section from the list. That *one* module is processed. So if you have: authenticate { eap foo } Then "eap" is run for Auth-Type = eap. "foo" is not used, and any failure / noop / whatever of "eap" does NOT cause it to fall through to "foo". The solution is to wrap it in an Auth-Type block: authenticate { Auth-Type eap { eap { invalid = 1 } if ( invalid ) { ... } } foo } In this case, the "eap" *section* will be processed. The contents will be treated just as if they were being run in the "authorize" section. So the default action for "invalid" has to be changed in order for it to fall through, and continue processing. Alan DeKok.