Auth-Type = Reject not being obeyed
Matthew Melbourne
matt at melbourne.org.uk
Sun May 26 02:41:14 CEST 2013
I think Phil's diagnosis is correct; 'Auth-Type := Reject' requires the ':='
operator to reject a CHAP authentication.
Unfortunately, it's not always easy to place a live production system in
debug mode, hence the initial "is this something stupid" question :)
(And apologies for the lack of a subject line in the original post).
Cheers,
Matt
-----Original Message-----
Date: Fri, 24 May 2013 17:31:29 +0100
From: Phil Mayers <p.mayers at imperial.ac.uk>
To: freeradius-users at lists.freeradius.org
Subject: Re: Auth-Type = Reject not being obeyed
Message-ID: <519F95E1.6010100 at imperial.ac.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 24/05/13 17:19, Alan Buxey wrote:
> The only difference I can see is that the first example uses a
> plain-text password, and the RADIUS on the LNS is using CHAP?
>
> The backend database has "=" in the 'op' field (and not ":="), so the
> returned attribute is "Auth-Type = Reject" and not "Auth-Type :=
> Reject", but it is correctly rejected using radtest/radclient, and I
> believe the "=" operand to be correct.
You might have this:
authorize {
...
chap
sql
...
}
..and Auth-Type is already set by chap, hence "=" doesn't overwrite it.
Anyway, you're not correct that "=" is the right operator; ":=" means
"force" i.e. set this attribute to this value, always, and that's what you
want to do here, right? "=" means "set if unset"
As has also been pointed out - show "radiusd -X" for a problem auth (and set
a subject line...)
More information about the Freeradius-Users
mailing list