Ok. I was just assuming that the FreeRadius Wiki was an authoritative source, and if it's written there, there must be something I just wasn't understanding that required it to be that way. When I get something working correctly, shall I register for an account and update your wiki page accordingly (once MySQL is working again)? -Jason Alan DeKok wrote:
Jason Antman wrote:
And in post-auth{}: ### snip ### if(control:Auth-Type == 'CSID'){ # Authorization happens here authorized_macs.authorize if(!ok){ reject
Uh... why? If the user is authenticated, you shouldn't be rejecting him.
If I put a "sql" line before this, it always logs with Access-Accept, since that's what authenticate{} ALWAYS returns, and the sql module is being called before . If I put a "sql" line after this, it never gets executed for "reject" statements...
Because you're doing it wrong. The whole point of accepting the user is that you *don't* reject them.
Change your rules to reject the user *before* they're accepted. The logging will then behave as you expect. It doesn't behave as you expect now, because you're rejecting them after you've accepted them. That makes no sense.
Why is the authorize statement in the post-auth { } section? That seems to be the cause of these problems...
So move it.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html