Deleting reply items before post-proxy

Alan DeKok aland at deployingradius.com
Thu Aug 30 18:00:14 CEST 2007


Eddie Stassen wrote:
> I was trying to get rid of my 'post-proxy-authorize' dependency and
> found that any attributes added during the authorize stage are removed
> when the proxy reply  is received.  Surely this is not intended
> behaviour

  Yes.  The problem is that the "authorize" stage is usually done wrong,
for reasons that go back to the original implementation.

  The authorize section often updates the *reply*, which is just plain
backwards.  Instead, the authorize section should set the stage for the
authentication stage, i.e. known passwords, group checking, etc.  Once
the user is authenticated, the post-authenticate section should set the
reply.

> Removing the initial pairfree() gives me the behaviour I expected, i.e.
> add some stuff during authorize, proxy, then combine  reply and
> proxy_reply items before responding.  Am I missing something?

  I think your policy can be re-written to add most reply items in the
post-authentication stage.

  Alan DeKok.




More information about the Freeradius-Devel mailing list