Using postauth_users and Access-Reject
Alan DeKok
aland at deployingradius.com
Mon Aug 9 08:31:55 CEST 2010
Peter Lambrechtsen wrote:
> Using FreeRadius 2.1.7 and trying to get the postauth_users to return an
> access reject however it always seems to return either a noop or ok.
..
> And this is what is in my postauth_users file:
>
> DEFAULT Auth-Type := REJECT
> Post-Auth-Type = Reject,
Hmm... you are trying to change the *authentication* type to reject
after the *authenticate* section has been executed. This won't work.
> Ideally I would assume if the Auth-Type := Reject then the return should
> be "RLM_MODULE_REJECT".
No. Setting "Auth-Type := Reject" is useful ONLY in the "authorize"
section, *before* the "authentication" section has been run. It doesn't
reject the user immediately. Instead, it tells the server to run the
"reject" authentication method.
> Since otherwise I think I will need to lookup if the Reply-Message is
> set to disabled, and then do a reject.
No.
If you want the post-auth section to return "reject", just put
"reject" into the list of modules to be run:
post-auth {
...
reject
...
}
See "man unlang" for details.
Alan DeKok.
More information about the Freeradius-Users
mailing list