Dropping requests when no authentication possible

Fri Mar 13 14:42:42 CET 2009

>
> >                                Response-Packet-Type = Do-Not-Respond
>
> Try changing that to Tmp-String-0 := "silent"
>
> And than add to Post-Auth-Type REJECT:
>
> if(control:Tmp-String-0 == "silent") {
>     update control {
>          Response-Packet-Type := 256
>      }
> }
>
> Ivan Kalik
> Kalik Informatika ISP
>

>
I can see the logic there, but the packet still exists. I can't see any
evidence of this Response-Packet-Type having any notable impact at all.

Fri Mar 13 12:07:30 2009 : Error: rlm_ldap: (re)connection attempt failed
Fri Mar 13 12:07:30 2009 : Info: [ldap] search failed
Fri Mar 13 12:07:30 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0

Fri Mar 13 12:07:30 2009 : Info: +++[ldap] returns fail
Fri Mar 13 12:07:30 2009 : Info: +++- entering group  {...}
Fri Mar 13 12:07:30 2009 : Info: ++++[control] returns fail
Fri Mar 13 12:07:30 2009 : Info: +++- group  returns fail
Fri Mar 13 12:07:30 2009 : Info: ++- policy redundant returns fail
Fri Mar 13 12:07:30 2009 : Auth: Invalid user: [fbloggs] (from client
my-switch port 0 cli 10.10.10.10)
Fri Mar 13 12:07:30 2009 : Info: Using Post-Auth-Type Reject
Fri Mar 13 12:07:30 2009 : Info: +- entering group REJECT {...}
Fri Mar 13 12:07:30 2009 : Info: ++? if (control:Tmp-String-0 == "silent")
Fri Mar 13 12:07:30 2009 : Info: ? Evaluating (control:Tmp-String-0 ==
"silent") -> TRUE
Fri Mar 13 12:07:30 2009 : Info: ++? if (control:Tmp-String-0 == "silent")
-> TRUE
Fri Mar 13 12:07:30 2009 : Info: ++- entering if (control:Tmp-String-0 ==
"silent") {...}
Fri Mar 13 12:07:30 2009 : Info: +++[control] returns noop
Fri Mar 13 12:07:30 2009 : Info: ++- if (control:Tmp-String-0 == "silent")
returns noop
Fri Mar 13 12:07:30 2009 : Info: Delaying reject of request 1 for 1 seconds
Fri Mar 13 12:07:30 2009 : Debug: Going to the next request
Fri Mar 13 12:07:30 2009 : Debug: Waking up in 0.9 seconds.
Fri Mar 13 12:07:31 2009 : Info: Sending delayed reject for request 1
Sending Access-Reject of id 4 to 10.20.30.40 port 32776


authorize {
        preprocess
        auth_log
        chap
        mschap
        files
        redundant {
                ldap
                group {
                        update control {
                                Tmp-String-0 := "silent"
                        }
                }
        }

}

post-auth {
    exec
        Post-Auth-Type REJECT {
                attr_filter.access_reject
                if (control:Tmp-String-0 == "silent") {
                        update control {
                                Response-Packet-Type := Do-Not-Respond
                        }
                }
        }
}


Thanks

Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090313/b8af65d7/attachment.html>