Greets, Using freeradius 2.0.5 and rlm_perl. Let's say we have a username which is locked in /etc/shadow. Normal authentication will prevent this user from logging in. I would like to override this behaviour in either authorize() or post_auth() and allow the user to login (but with modified $RAD_REPLY) despite the locked system user. In authorize(), changing $RAD_REPLY (to allow a modified service) is no problem, but I'm not sure what to return so radiusd will authenticate the user even though their password is incorrect (return RLM_MODULE_OK of course doesn't change this behaviour) - eg, rejecting a user is easy, just return RLM_MODULE_REJECT. Is there a way to change the reply from Access-Reject, to Access-Accept? Thanks Henry
Is there a way to change the reply from Access-Reject, to Access-Accept?
There is a way to change the packet type but it is a bad idea. Placing unauthorized users in something like a guest VLAN should be the part of your NAS functionality, rather than (deliberately) breaking authentication on the radius server. Ivan Kalik Kalik Informatika ISP
Quoting tnt@kalik.net:
Is there a way to change the reply from Access-Reject, to Access-Accept?
There is a way to change the packet type but it is a bad idea. Placing unauthorized users in something like a guest VLAN should be the part of your NAS functionality, rather than (deliberately) breaking authentication on the radius server.
Thanks for the response, Ivan. We don't have access to the NAS servers (we merely auth) and this is the only way we can do this cleanly (without physically unlocking the user, managing that process, etc). Can you provide pointers on how to change the reply? Thanks Henry
participants (2)
-
Henry -
tnt@kalik.net