Post Auth Configurations

Matt Zagrabelny mzagrabe at
Thu Jul 18 18:34:56 CEST 2013

On Thu, Jul 18, 2013 at 10:46 AM, Alan DeKok <aland at> wrote:
> Navodit Bhardwaj wrote:
>> For each Access-Request recieved and authenticated successfully I want
>> to do following:
>>  1. Verify if Access-Request contains a parameter i.e IMEI of mobile
>>  2. If Not, send Access-Reject. Else,
>>  3. compare IMEI to value in database and assign a 32bit hex number in
>> Access-Accept
>   You should be able to just write this in unlang.  Write down which
> attributes you have, and what values you're looking for.  Then, write
> the logic.


I just asked a similar question and this is the logic I added to my
default site, right after 'preprocess':

if (CVPN3000-Tunnel-Group-Name == 'Bookstore') {
    if (SQL-Group == 'RADIUS:bookstore') {
    else {

What the above logic "says" is:

If the user is requesting to be in the Bookstore VPN group then if
they are part of the RADIUS:bookstore group, continue (noop), else
reject them.

You'll need to change 'CVPN3000-Tunnel-Group-Name' and 'Bookstore',
and remove the second 'if' statement.

>> Basically, I am doing a second authentication after initial
>> authentication (PAP, CHAP) is successful.
>   Don't do that.  Do it *before* PAP or CHAP.  In the "authorize" section.


I've got a similar question that dovetails into this discussion.
Suppose I wanted to reject certain users and wanted the Reply-Message
to be customized per user authenticating, but I want to ensure that I
am not leaking the customized message. Is there a way to test the
user/pw combo first and *then* perform unlang logic?



More information about the Freeradius-Users mailing list