attribute checking in the session REJECT
Hi, In the authorize section, I check the username and password and print the relevant Reply-Message as in the followings. I works. authorize { .. sql{ notfound = 1 reject = 2 } if(notfound){ update reply { Reply-Message := "Please check your Username" } reject } if(reject){ update reply { Reply-Message := "%{reply:Reply-Message} Wrong Password" } reject } .. } Then, for those who reject, I check the NAS-Identifier in the "Post-Auth-Type REJECT" section. If the NAS-Identifier is incompatible according to the racheck table, I print a "wrong NAS" message. Ok so far. However, if the NAS-Identifier is not in the radcheck table, the NAS-Identifier should not check, if the password is incorrect, I want a "wrong password" error. I couldn't do this. Post-Auth-Type REJECT { .... if (&NAS-Identifier != "%{sql:SELECT value FROM radcheck WHERE Username = '%{User-Name}' and attribute='NAS-Identifier'}") { update reply { Reply-Message = "%{Reply-Message} Wrong NAS, NAS:%{NAS-Identifier}" } } update reply { Reply-Message = "%{reply:Reply-Message} Wrong Password." # Reply-Message := "Wrong Password.." } .. } Could you please help me how to fix it. Regards
On Sep 10, 2025, at 6:01 AM, Can Paçacı <pacaci@servisnet.com.tr> wrote:
In the authorize section, I check the username and password and print the relevant Reply-Message as in the followings. I works.
That's not really what you want to do. The SQL module will never return "reject" in the "authorize" section. This should work better: authorize { .. sql if (notfound) { update reply { Reply-Message := "Please check your Username" } reject }
Then, for those who reject, I check the NAS-Identifier in the "Post-Auth-Type REJECT" section. If the NAS-Identifier is incompatible according to the racheck table, I print a "wrong NAS" message. Ok so far.
However, if the NAS-Identifier is not in the radcheck table, the NAS-Identifier should not check, if the password is incorrect, I want a "wrong password" error. I couldn't do this.
I'm not sure what that means. Write it out what you want as complete sentences. You should be able to then convert it to unlang fairly easily. Alan DeKok.
Sorry I couldn't explain clearly. I listed the things I wanted to do during the checks on the auth access package as follows: In the Received Access-Request, -In the normal conditions check User-Name, User-Password and NAS-Identifier and write the appropriate Reply-Message to the return package. -In cases where NAS-Identifier is not defined in the radcheck table only check the User-Name and User-Password and write the appropriate Reply-Message to the return package. Regards On 9/10/25 20:38, Alan DeKok via Freeradius-Users wrote:
I'm not sure what that means.
Write it out what you want as complete sentences. You should be able to then convert it to unlang fairly easily.
-- Can Paçacı pacaci@servisnet.com.tr Servisnet A.Ş. Tel: 90 530 5450952
On Sep 11, 2025, at 1:44 AM, Can Paçacı <pacaci@servisnet.com.tr> wrote:
Sorry I couldn't explain clearly. I listed the things I wanted to do during the checks on the auth access package as follows:
In the Received Access-Request, -In the normal conditions check User-Name, User-Password and NAS-Identifier and write the appropriate Reply-Message to the return package. -In cases where NAS-Identifier is not defined in the radcheck table only check the User-Name and User-Password and write the appropriate Reply-Message to the return package.
But the server does that already. If you list a User-Name, User-Password, and NAS-Identifier in radcheck, they will all be used. If you only list a User-Name and User-Password in radcheck, it will only use / check those. Perhaps you're looking to catch the situation where a user has a correct name / password, but is using the wrong NAS. For that situation, you don't need to do anything. Just list the right NAS-Identifier in radcheck. Then, if the user logs into a different NAS, it won't match. Since that entry didn't match, the User-Password won't be added. And the user will be rejected. Alan DeKok.
On 9/11/25 15:21, Alan DeKok via Freeradius-Users wrote:
On Sep 11, 2025, at 1:44 AM, Can Paçacı <pacaci@servisnet.com.tr> wrote:
Sorry I couldn't explain clearly. I listed the things I wanted to do during the checks on the auth access package as follows:
In the Received Access-Request, -In the normal conditions check User-Name, User-Password and NAS-Identifier and write the appropriate Reply-Message to the return package. -In cases where NAS-Identifier is not defined in the radcheck table only check the User-Name and User-Password and write the appropriate Reply-Message to the return package. But the server does that already.
If you list a User-Name, User-Password, and NAS-Identifier in radcheck, they will all be used. If you only list a User-Name and User-Password in radcheck, it will only use / check those.
Yes, you are right, the system already performs this check under normal conditions
Perhaps you're looking to catch the situation where a user has a correct name / password, but is using the wrong NAS. For that situation, you don't need to do anything. Just list the right NAS-Identifier in radcheck. Then, if the user logs into a different NAS, it won't match. Since that entry didn't match, the User-Password won't be added. And the user will be rejected.
on the contrary if the NAS-Identifier is not defined in radcheck, I do not want it to produce an incorrect NAS message. I should write an unlang for this exception but I haven't quite succeeded.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Can Paçacı pacaci@servisnet.com.tr Servisnet A.Ş. Tel: 90 530 5450952
participants (2)
-
Alan DeKok -
Can Paçacı