On Nov 28, 2020, at 12:23 AM, Mike Ruebner <freeradius@machichemicals.com> wrote:
I am rejecting PEAP requests from specific AVPs in my inner-tunnel 'authorize' section. That's pretty much it, but those rejects still hit 'post-auth', where I have to specifically exclude them from a lockout counter. Is there a way to, for lack of better words, gracefully 'exit' inner-tunnel from my PEAP-reject module? Meaning, no execution of sections further down the food chain (ie., authenticate, post-auth).
There's no way to stop that state machine. But, once you reject a user, it skips the "authenticate" section. And, runs the "Post-Auth-Type Reject" sub-section of "post-auth". You might need to upgrade. In some older versions it didn't run "Post-Auth-Type Reject" in the inner tunnel. Alan DeKok.