Is this hack possible?

Michael Mitchell mitchell.michael at
Fri Nov 17 13:20:45 CET 2006

Erling Paulsen wrote:
> Hi.
> Is it possible to make FreeRADIUS rewrite/force an "Access Denied" reply 
> into an "Access Accept" reply? Why on earth would I want this? Well, I 
> would like to i.e. give a guest-net Vlan back to users that actually 
> fail authentication, so that when they try to access the web they will 
> instead get connected to a redirected guest-information webpage.
> - or does anyone have an idea of how such a functionality can be 
> achieved through some kindof magic?

We do a similar thing, but the logic is a little more complicated. I had to write a module to do what I wanted, which I call from the Post Auth phase. Our module retrieves a "Captive Portal" network access profile out of LDAP and sets the response code to Access-Accept.

The major problem with modifying the response code in the post-auth section is that the authentication result has already been written to radiusd.log at that stage (in version 1.0.1) so it starts to make the log files difficult to interpret.

So, its definitely possible to do what you want, make it may take a reasonable amount of effort.


More information about the Freeradius-Users mailing list