Re: Auth-Type = Reject not being obeyed
I think Phil's diagnosis is correct; 'Auth-Type := Reject' requires the ':=' operator to reject a CHAP authentication. Unfortunately, it's not always easy to place a live production system in debug mode, hence the initial "is this something stupid" question :) (And apologies for the lack of a subject line in the original post). Cheers, Matt -----Original Message----- Date: Fri, 24 May 2013 17:31:29 +0100 From: Phil Mayers <p.mayers@imperial.ac.uk> To: freeradius-users@lists.freeradius.org Subject: Re: Auth-Type = Reject not being obeyed Message-ID: <519F95E1.6010100@imperial.ac.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 24/05/13 17:19, Alan Buxey wrote:
The only difference I can see is that the first example uses a plain-text password, and the RADIUS on the LNS is using CHAP?
The backend database has "=" in the 'op' field (and not ":="), so the returned attribute is "Auth-Type = Reject" and not "Auth-Type := Reject", but it is correctly rejected using radtest/radclient, and I believe the "=" operand to be correct.
You might have this: authorize { ... chap sql ... } ..and Auth-Type is already set by chap, hence "=" doesn't overwrite it. Anyway, you're not correct that "=" is the right operator; ":=" means "force" i.e. set this attribute to this value, always, and that's what you want to do here, right? "=" means "set if unset" As has also been pointed out - show "radiusd -X" for a problem auth (and set a subject line...)
Hi,
I think Phil's diagnosis is correct; 'Auth-Type := Reject' requires the ':=' operator to reject a CHAP authentication.
Unfortunately, it's not always easy to place a live production system in debug mode, hence the initial "is this something stupid" question :)
yes it is. use the control-socket virtual machine, then use radmin and only turn on full debugging for a particular username, calling-station-id or such - man radmin this isnt a dumb server ;-) alan
participants (2)
-
A.L.M.Buxey@lboro.ac.uk -
Matthew Melbourne