Changing a Reject into an Accept
Brian Candler
B.Candler at pobox.com
Fri Nov 19 12:01:14 CET 2010
Is it possible to turn a reject into an accept inside the post-auth section?
The idea is to tunnel specific groups of failed users to an appropriate help
page.
I have tried:
post-auth {
...
Post-Auth-Type REJECT {
if ( .... ) {
applyTunnelAttributes
ok
}
}
}
The attributes are added, but the 'ok' doesn't change the packet into an
Access-Accept.
I also tried, unsuccessfully,
update control {
Packet-Type := Access-Accept
Response-Packet-Type := Access-Accept
}
update reply {
Packet-Type := Access-Accept
Response-Packet-Type := Access-Accept
}
(freeradius reports that modifying the value of a virtual attribute is not
supported)
I could mess about with the authenticate section, but this goes against
the stern advice in the default config:
# Please do not put "unlang" configurations into the "authenticate"
# section. Put them in the "post-auth" section instead. That's what
# the post-auth section is for.
Going against that advice, the following appears to work:
authenticate {
Auth-Type PAP {
pap {
ok = return
reject = 1
}
applyTunnelAttributes
}
Auth-Type CHAP {
chap {
ok = return
reject = 1
}
applyTunnelAttributes
}
}
So, any better way of achieving this?
Thanks,
Brian.
More information about the Freeradius-Users
mailing list