Deleting reply items before post-proxy
aland at deployingradius.com
Thu Aug 30 18:00:14 CEST 2007
Eddie Stassen wrote:
> I was trying to get rid of my 'post-proxy-authorize' dependency and
> found that any attributes added during the authorize stage are removed
> when the proxy reply is received. Surely this is not intended
Yes. The problem is that the "authorize" stage is usually done wrong,
for reasons that go back to the original implementation.
The authorize section often updates the *reply*, which is just plain
backwards. Instead, the authorize section should set the stage for the
authentication stage, i.e. known passwords, group checking, etc. Once
the user is authenticated, the post-authenticate section should set the
> Removing the initial pairfree() gives me the behaviour I expected, i.e.
> add some stuff during authorize, proxy, then combine reply and
> proxy_reply items before responding. Am I missing something?
I think your policy can be re-written to add most reply items in the
More information about the Freeradius-Devel