On 12 Feb 2016, at 14:34, Alan Batie <alan@peak.org> wrote:
On 2/12/16 2:12 PM, Matthew Newton wrote:
Auth-Type is an internal attribute. It's not sent back to the NAS. It should be 'Accept'.
You need to send something else to your NAS to tell it to quarantine the user. For example it if is a switch you might set a different VLAN by sending back a different Tunnel-Private-Group-Id.
That's what specifying a different ip pool does - it then gives the user a non-routable ip address (e.g. 10.99.x.x). At the moment, the main goal is keeping some misconfigured/suspended modems from spamming the logfile (they retry at relatively high rates on rejection), but eventually we'll use the mechanism to redirect users to a web site like most wireless hotspots do.
OK, then Matthew is correct. Just do everything in perl.authorize. The sections are mainly there as a basic framework. If your perl module does all the work, of authorization/authentication, and is never going to reject users, you can just do authorize { update control { Auth-Type := Accept } perl } and omit the authenticate section entirely. Sometimes it's better to ignore the standard progression of the server if what you're doing doesn't fit with the traditional AAA model. FreeRADIUS is pretty flexible in what it allows. There's almost always a way to alter the standard behaviour of the server at any given point, you just need to figure out what it is ;) -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2