Using postauth_users and Access-Reject

Peter Lambrechtsen plambrechtsen at gmail.com
Mon Aug 9 06:14:56 CEST 2010 

I've semi-sorted it by setting a Reply-Message and then using Unlang to
lookup that message a bit ugly, but it works.

In my post-auth section I have:

        files
        if ("%{reply:Reply-Message}" == "Reject") {
                reject
        }

And in the postauth_users I have:

DEFAULT Auth-Type := Reject
        Reply-Message = "Reject"

Which gives me this in the trace:

++[files] returns ok
++? if ("%{reply:Reply-Message}" == "Reject")
        expand: %{reply:Reply-Message} -> Reject
? Evaluating ("%{reply:Reply-Message}" == "Reject") -> TRUE
++? if ("%{reply:Reply-Message}" == "Reject") -> TRUE
++- entering if ("%{reply:Reply-Message}" == "Reject") {...}
+++[reject] returns reject
++- if ("%{reply:Reply-Message}" == "Reject") returns reject
Using Post-Auth-Type Reject
+- entering group REJECT {...}
++[reject] returns reject
Sending Access-Reject of id 76 to 192.168.143.72 port 2747
        Reply-Message = "Reject"



On Mon, Aug 9, 2010 at 3:36 PM, Peter Lambrechtsen
<plambrechtsen at gmail.com>wrote:

> Using FreeRadius 2.1.7 and trying to get the postauth_users to return an
> access reject however it always seems to return either a noop or ok.
>
> This is what I get in my radiusd -X trace:
>
> [files] postauth_users: Matched entry DEFAULT at line 30
> ++[files] returns ok
> Sending Access-Accept of id 53 to 192.168.143.72 port 2503
>         Reply-Message = "Your account has been disabled."
>
> And this is what is in my postauth_users file:
>
> DEFAULT Auth-Type := REJECT
>         Post-Auth-Type = Reject,
>         Reply-Message = "Your account has been disabled."
>
> Checking the rlm_files.c it seems that either ok or noop are the two
> options returned:
>
>         /*
>          *      See if we succeeded.
>          */
>         if (!found)
>                 return RLM_MODULE_NOOP; /* on to the next module */
>
>         return RLM_MODULE_OK;
>
> Ideally I would assume if the Auth-Type := Reject then the return should be
> "RLM_MODULE_REJECT".
>
> Since otherwise I think I will need to lookup if the Reply-Message is set
> to disabled, and then do a reject.
>
> I'm no C developer hence why I am not offering up a patch, but I might try
> and see how difficult it would be.
>
> Cheers
>
> Peter
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100809/418a05b2/attachment.html>

More information about the Freeradius-Users mailing list