hmm, all you are doing is setting the values to what they normally are...you need something like
group { sql_new { reject = 1 ok = return } sql_old { reject = 1 ok = return } }
alan -
[JK] Tried that earlier Alan. Seems whenever is set ok = return, we process no further. Here's the logs from a 'radtest', where testRadOld is entered as the password (testRad is the new password, testRadOld is the old password in the DB). We see the first query, where there is a password mismatch, but the second query never happens (it does in other configuration settings, but I never see it compare BOTH passwords to what was received): ++- entering group {...} [sql_new] expand: %{User-Name} -> radTest [sql_new] sql_set_user escaped user --> 'radTest' rlm_sql (sql_new): Reserving sql socket id: 3 [sql_new] expand: select repeat('1',1) as Id,tunnelid as UserName,repeat('Cleartext-Password',1) as Attribute, newkey as Value,repeat(':=',1) as op from am_tunnelkey where tunnelid ='%{SQL-User-Name}' ORDER BY id -> select repeat('1',1) as Id,tunnelid as UserName,repeat('Cleartext-Password',1) as Attribute, newkey as Value,repeat(':=',1) as op from am_tunnelkey where tunnelid ='radTest' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 5 [sql_new] User found in radcheck table rlm_sql (sql_new): Released sql socket id: 3 +++[sql_new] returns ok ++- group returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "testRadOld" [pap] Using clear text password "testRad" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Login incorrect (rlm_pap: CLEAR TEXT password check failed): [radTest] (from client localhost port 1812) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> radTest attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 26 to 127.0.0.1 port 32800 Thanks, John This message is confidential to Prodea Systems, Inc unless otherwise indicated or apparent from its nature. This message is directed to the intended recipient only, who may be readily determined by the sender of this message and its contents. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient:(a)any dissemination or copying of this message is strictly prohibited; and(b)immediately notify the sender by return message and destroy any copies of this message in any form(electronic, paper or otherwise) that you have.The delivery of this message and its information is neither intended to be nor constitutes a disclosure or waiver of any trade secrets, intellectual property, attorney work product, or attorney-client communications. The authority of the individual sending this message to legally bind Prodea Systems is neither apparent nor implied,and must be independently verified.