Deleting reply items before post-proxy

Hugh Messenger hugh at
Thu Aug 30 20:20:27 CEST 2007

Alan DeKok said:
> Eddie Stassen wrote:
> > I was trying to get rid of my 'post-proxy-authorize' dependency and
> > found that any attributes added during the authorize stage are removed
> > when the proxy reply  is received.  Surely this is not intended
> > behaviour
>   Yes.  The problem is that the "authorize" stage is usually done wrong,
> for reasons that go back to the original implementation.
>   The authorize section often updates the *reply*, which is just plain
> backwards.  Instead, the authorize section should set the stage for the
> authentication stage, i.e. known passwords, group checking, etc.  Once
> the user is authenticated, the post-authenticate section should set the
> reply.

Which is great in theory, but as Arran pointed out, not so easy in practice,
especially if you are trying to do everything from SQL.

I second the request for a "yes_I_(think)_I_know_what_I_am_doing" switch we
can use to turn that behavior off, until such time as rlm_sql allows us to
do things "the right way" without jumping through too many hoops?

>   Alan DeKok.

   -- hugh

More information about the Freeradius-Devel mailing list