Deleting reply items before post-proxy
Alan DeKok
aland at deployingradius.com
Thu Aug 30 18:00:14 CEST 2007
Eddie Stassen wrote:
> I was trying to get rid of my 'post-proxy-authorize' dependency and
> found that any attributes added during the authorize stage are removed
> when the proxy reply is received. Surely this is not intended
> behaviour
Yes. The problem is that the "authorize" stage is usually done wrong,
for reasons that go back to the original implementation.
The authorize section often updates the *reply*, which is just plain
backwards. Instead, the authorize section should set the stage for the
authentication stage, i.e. known passwords, group checking, etc. Once
the user is authenticated, the post-authenticate section should set the
reply.
> Removing the initial pairfree() gives me the behaviour I expected, i.e.
> add some stuff during authorize, proxy, then combine reply and
> proxy_reply items before responding. Am I missing something?
I think your policy can be re-written to add most reply items in the
post-authentication stage.
Alan DeKok.
More information about the Freeradius-Devel
mailing list