Forcing authorization access-reject depending on attribute
Ezequiel O. Block
ezequielb at pilar-ciudad.com.ar
Mon Sep 26 16:36:45 CEST 2005
Mike Chamberlain wrote:
> Hi there.
>
> I am using freeradius to authenticate users to a ChilliSpot wireless
> hotspot. It's backended by a SQL database and communicating using
> stored procedures. My problem is as follows.
>
> On authentication, the user enters their username and password. This
> calls a stored procedure which returns the correct password, leaving
Why don't you just hack that stored procedure in order to check if he
has credit and then send back garbage as password if he should not be
able to connect..
this is what comes to my mind now, this is not the best solution I think..
> it up to the gateway to determine if the password they entered is
> correct. This is all no problem.
>
> The problem arises on the authorization. Even though the user may
> have supplied the correct username and password, they may not have
> enough credit to use the service. The problem is that there is no
> radius attribute that I can pass back to the ChilliSpot gateway to
> indicate that the user should not be allowed service. No matter what
> attributes I add, the radius message is always an Access-Accept. (For
> VoIP people, what I really want is the equivalent of the
> h323-return-code attribute, but sadly there doesn't appear to be
> anything like this in the WISPr specification.)
>
> I have been advised that it might be possible to return an arbitrary
> Access-Reject if I use scripting. I was thinking that perhaps it
> would be possible for freeradius to examine a particular attribute in
> the authorization response, and depending on the value change the
> message to be an Access-Reject. However, I am kind of stuck with this
> as I am new to freeradius and have no idea where to start. Does
> anyone know whether this would be the correct approach? If so, are
> there any sites or examples to get me started on this? If not, can
> anyone think of a better way to accomplish what I am trying?
>
> Thanks in advance for your help,
>
> Mike
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list