I'm using "freeradius-3.0.1-6.el7.x86_64" as proxy, between radius server and a mikrotik NAS for pppoe users, this is the scheme.
My goal is to change the Access-Reject messaje recieved in the Proxy radius from the Radius server to send to the NAS an Access-Accept with some attributtes, like this more or less, i tried to put this just inside "Post-Auth-Type REJECT" in Post-Auth section without results
i think i just miss to put before this update control the if condition before, but i dont know which one to use
rad_recv: Accounting-Response packet from host 10.100.1.101 port 1813, id=225, length=25
Proxy-State = 0x323033
(0) # Executing section post-proxy from file /etc/raddb/sites-enabled/default
(0) post-proxy {
(0) eap : No pre-existing handler found
(0) [eap] = noop
(0) } # post-proxy = noop
Sending Accounting-Response of id 203 from 10.100.1.100 port 1813 to 10.200.0.34 port 56239
(0) Finished request 0.
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host 10.200.0.34 port 60374, id=204, length=157
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 8546310
NAS-Port-Type = Ethernet
User-Name = 'USERNAME_XX'
Calling-Station-Id = 'D4:CA:6D:47:A5:27'
Called-Station-Id = 'pppoe-Excom'
NAS-Port-Id = 'bridge-pppoe'
User-Password = 'Password'
NAS-Identifier = 'PABELLON_RT1'
NAS-IP-Address = 10.200.0.34
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) filter_username filter_username {
(1) ? if (User-Name != "%{tolower:%{User-Name}}")
(1) expand: "%{tolower:%{User-Name}}" -> 'username_xx'
(1) ? if (User-Name != "%{tolower:%{User-Name}}") -> TRUE
(1) if (User-Name != "%{tolower:%{User-Name}}") {
(1) [reject] = reject
(1) } # if (User-Name != "%{tolower:%{User-Name}}") = reject
(1) } # filter_username filter_username = reject
(1) } # authorize = reject
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Post-Auth-Type REJECT {
(1) attr_filter.access_reject : expand: "%{User-Name}" -> 'USERNAME_XX'
(1) attr_filter.access_reject : Matched entry DEFAULT at line 11
(1) [attr_filter.access_reject] = updated
(1) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(1) [eap] = noop
(1) remove_reply_message_if_eap remove_reply_message_if_eap {
(1) ? if (reply:EAP-Message && reply:Reply-Message)
(1) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(1) else else {
(1) [noop] = noop
(1) } # else else = noop
(1) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(1) } # Post-Auth-Type REJECT = updated
(1) Finished request 1.
(0) Cleaning up request packet ID 203 with timestamp +5
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host 10.200.0.34 port 60374, id=204, length=157
(1) Discarding duplicate request from client Bejar port 60374 - ID: 204 due to unfinished request
Waking up in 0.6 seconds.
rad_recv: Access-Request packet from host 10.200.0.34 port 60374, id=204, length=157
(1) Discarding duplicate request from client Bejar port 60374 - ID: 204 due to delayed reject
Waking up in 0.3 seconds.
(1) Sending delayed reject
Sending Access-Reject of id 204 from 10.100.1.100 port 1812 to 10.200.0.34 port 60374