Hi,

I'm using "freeradius-3.0.1-6.el7.x86_64" as proxy, between radius server and a mikrotik NAS for pppoe users, this is the scheme.

NAS          -->        Proxy freeradius --> freeradius Server
10.200.0.34            10.100.1.100              10.100.1.101

My goal is to change the Access-Reject messaje recieved in the Proxy radius from the Radius server to send to the NAS an Access-Accept with some attributtes, like this more or less, i tried to put this just inside "Post-Auth-Type REJECT" in Post-Auth section without results

 if (reject) { 
                ok # over-ride "reject" 
                    update control {
                    Auth-Type := Accept
                    Framed-Pool = 'BAN'
                   }
}

i think i just miss to put before this update control the if condition before, but i dont know which one to use

This is what i can see in debug mode:

rad_recv: Accounting-Response packet from host 10.100.1.101 port 1813, id=225, length=25
        Proxy-State = 0x323033
(0) # Executing section post-proxy from file /etc/raddb/sites-enabled/default
(0)   post-proxy {
(0) eap : No pre-existing handler found
(0)   [eap] = noop
(0)  } #  post-proxy = noop
Sending Accounting-Response of id 203 from 10.100.1.100 port 1813 to 10.200.0.34 port 56239
(0) Finished request 0.
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host 10.200.0.34 port 60374, id=204, length=157
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 8546310
        NAS-Port-Type = Ethernet
        User-Name = 'USERNAME_XX'
        Calling-Station-Id = 'D4:CA:6D:47:A5:27'
        Called-Station-Id = 'pppoe-Excom'
        NAS-Port-Id = 'bridge-pppoe'
        User-Password = 'Password'
        NAS-Identifier = 'PABELLON_RT1'
        NAS-IP-Address = 10.200.0.34
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1)   authorize {
(1)   filter_username filter_username {
(1)    ? if (User-Name != "%{tolower:%{User-Name}}")
(1)     expand: "%{tolower:%{User-Name}}" -> 'username_xx'
(1)    ? if (User-Name != "%{tolower:%{User-Name}}")  -> TRUE
(1)    if (User-Name != "%{tolower:%{User-Name}}")  {
(1)     [reject] = reject
(1)    } # if (User-Name != "%{tolower:%{User-Name}}")  = reject
(1)   } # filter_username filter_username = reject
(1)  } #  authorize = reject
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1)  Post-Auth-Type REJECT {
(1) attr_filter.access_reject :         expand: "%{User-Name}" -> 'USERNAME_XX'
(1) attr_filter.access_reject : Matched entry DEFAULT at line 11
(1)   [attr_filter.access_reject] = updated
(1) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(1)   [eap] = noop
(1)   remove_reply_message_if_eap remove_reply_message_if_eap {
(1)    ? if (reply:EAP-Message && reply:Reply-Message)
(1)    ? if (reply:EAP-Message && reply:Reply-Message)  -> FALSE
(1)    else else {
(1)     [noop] = noop
(1)    } # else else = noop
(1)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(1)  } # Post-Auth-Type REJECT = updated
(1) Finished request 1.
(0) Cleaning up request packet ID 203 with timestamp +5
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host 10.200.0.34 port 60374, id=204, length=157
(1) Discarding duplicate request from client Bejar port 60374 - ID: 204 due to unfinished request
Waking up in 0.6 seconds.
rad_recv: Access-Request packet from host 10.200.0.34 port 60374, id=204, length=157
(1) Discarding duplicate request from client Bejar port 60374 - ID: 204 due to delayed reject
Waking up in 0.3 seconds.
(1) Sending delayed reject
Sending Access-Reject of id 204 from 10.100.1.100 port 1812 to 10.200.0.34 port 60374


Can anyone help me??

Best regards, JJ


--

------------------------------------
Juanjo Abenza Sánchez
Operaciones
Free Technologies Excom, S.L.
http://www.excom.es
Tel. 902 02 02 34   Ext. 202
Fax 902 87 66 41
-----------------------------------

AVISO LEGAL

Este mensaje es CONFIDENCIAL, siendo para uso exclusivo de su destinatario. Si usted no es el destinatario,

por favor, reenvíe el mensaje inmediatamente a la dirección remitente y proceda a su borrado.

Free Technologies Excom, s.l. incluirá su dirección de correo electrónico, así como los datos de contacto que

le facilite en un fichero automatizado, con el fin de gestionar el envío de comunicaciones profesionales y/o

personales. Para ejercitar sus derechos de acceso, rectificación, cancelación y oposición, remita su solicitud a:

Free Technologies Excom, s.l. - Avenida Valdeparra nº 27, edificio nº 1, planta 2, oficina 4 - 28108,

Alcobendas (Madrid).

LEGAL NOTICE

This message is CONFIDENTIAL, being for exclusive use of the addressee. If you are not the addressee, please

forward this message to sender inmediately and arrange for its deletion.

Free Technologies Excom, s.l. will include your address and contact details in an automated file, in order to

manage the delivery of business and personal communications. To exercise your rights of access, rectification,

cancellation and opposition, send your request to:

Free Technologies Excom, s.l. - Avenida Valdeparra nº 27, edificio nº 1, planta 2, oficina 4 - 28108,

Alcobendas (Madrid).