Setting Auth-Type to Accept using unlang
Hello, I want freeradius to assign to a specific ippool any invalid user (user not found or wrong password) as well as accept it. I am trying to do the following in post-auth but so far I can get freeradius to send the Reply-Message, DNS, etc... but it will still send Reject-Access. I am guessing that doing Auth-Type := "Accept" is too late in post-auth. Post-Auth-Type REJECT { if (!NAS-IP-Address == X.X.X.X) { update reply { Reply-Message = "Restricted Access" MS-Primary-DNS-Server = X.X.X.X MS-Secondary-DNS-Server = X.X.X.X RP-Max-Sessions-Per-User = 100 } update control { Auth-Type := "Accept" Pool-Name := "invaliduser_pool" } # Get an address from the IP Pool. invaliduser_pool sql } } I am using the latest version of freeradius 2.1.1. Regards, Abel.
Yes, you can't change Auth-Type *after* authentication (post-auth section). Move that to authorize section after pap. Check that Auth-Type hasn't been set and do those updates. Ivan Kalik Kalik Informatika ISP Dana 13/10/2008, "Abel Alejandro" <aalejandro@gmail.com> piše:
Hello,
I want freeradius to assign to a specific ippool any invalid user (user not found or wrong password) as well as accept it.
I am trying to do the following in post-auth but so far I can get freeradius to send the Reply-Message, DNS, etc... but it will still send Reject-Access. I am guessing that doing Auth-Type := "Accept" is too late in post-auth.
Post-Auth-Type REJECT { if (!NAS-IP-Address == X.X.X.X) { update reply { Reply-Message = "Restricted Access" MS-Primary-DNS-Server = X.X.X.X MS-Secondary-DNS-Server = X.X.X.X RP-Max-Sessions-Per-User = 100 } update control { Auth-Type := "Accept" Pool-Name := "invaliduser_pool" } # Get an address from the IP Pool. invaliduser_pool sql } }
I am using the latest version of freeradius 2.1.1.
Regards, Abel. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How do I test if Auth-Type is not set? I tried with: if (!Auth-Type) { and a few others and couldnt get it to do the trick. Abel. 2008/10/13 <tnt@kalik.net>:
Yes, you can't change Auth-Type *after* authentication (post-auth section). Move that to authorize section after pap. Check that Auth-Type hasn't been set and do those updates.
Ivan Kalik Kalik Informatika ISP
Dana 13/10/2008, "Abel Alejandro" <aalejandro@gmail.com> piše:
Hello,
I want freeradius to assign to a specific ippool any invalid user (user not found or wrong password) as well as accept it.
I am trying to do the following in post-auth but so far I can get freeradius to send the Reply-Message, DNS, etc... but it will still send Reject-Access. I am guessing that doing Auth-Type := "Accept" is too late in post-auth.
Post-Auth-Type REJECT { if (!NAS-IP-Address == X.X.X.X) { update reply { Reply-Message = "Restricted Access" MS-Primary-DNS-Server = X.X.X.X MS-Secondary-DNS-Server = X.X.X.X RP-Max-Sessions-Per-User = 100 } update control { Auth-Type := "Accept" Pool-Name := "invaliduser_pool" } # Get an address from the IP Pool. invaliduser_pool sql } }
I am using the latest version of freeradius 2.1.1.
Regards, Abel. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How do I test if Auth-Type is not set?
I tried with:
if (!Auth-Type) {
That should work (I don't have 2.1.1 installed but I have tested that in 2.0.5 some time ago). You have added that in authorize (not authenticate) after pap entry? Post the debug. Ivan Kalik Kalik Informatika ISP
On Tue, Oct 14, 2008 at 4:39 AM, <tnt@kalik.net> wrote:
How do I test if Auth-Type is not set?
I tried with:
if (!Auth-Type) {
That should work (I don't have 2.1.1 installed but I have tested that in 2.0.5 some time ago). You have added that in authorize (not authenticate) after pap entry? Post the debug.
The problem is that if (!Auth-Type) returns true even when the user is valid. Here is a debug when the user is valid. ++[sql] returns ok ++[pap] returns updated ++? if (!Auth-Type) ? Evaluating !(Auth-Type) -> FALSE ++? if (!Auth-Type) -> TRUE ++- entering if (!Auth-Type) {...} +++? if (!NAS-IP-Address == 196.12.161.237) ? Evaluating !(NAS-IP-Address == 196.12.161.237) -> FALSE +++? if (!NAS-IP-Address == 196.12.161.237) -> TRUE +++- entering if (!NAS-IP-Address == 196.12.161.237) {...} ++++[reply] returns updated ++++[control] returns updated +++- if (!NAS-IP-Address == 196.12.161.237) returns updated ++- if (!Auth-Type) returns updated Found Auth-Type = Accept Auth-Type = Accept, accepting the user +- entering group post-auth {...} I am using the following in the authorize section right after pap: if (!Auth-Type) { if (!NAS-IP-Address == X.X.X.X) { update reply { Reply-Message = "Restricted Access" MS-Primary-DNS-Server = X.X.X.X MS-Secondary-DNS-Server = X.X.X.X RP-Max-Sessions-Per-User = 100 } update control { Auth-Type := "Accept" Pool-Name := "invaliduser_pool" } } }
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Abel Alejandro -
Alan DeKok -
tnt@kalik.net