Conditional Auth Response?

Alan DeKok aland at
Wed Feb 12 04:04:56 CET 2014

Darren Ward (darrward) wrote:
> I'm trying in the authorise section of the default site in sites-enabled:

  Nope.  You're editing some file, but the server isn't reading the file
you're editing.

> So this rule I am hoping to create will see an incoming authorise request for user as an example use the password "cisco" for the authorisation and then proceed to look at the request and if it sees a Cisco-Control-Info attribute set with QV<anynumber> then update the reply which needs to be an access-accept with QV="0" else if there is no QV attribute set then set one to 50Meg

  OK... you'll need to set a password too, but that isn't hard.

> I'm on a basic Red Hat box so I assume the POSIX regex is * but I have also tried the + from a previous example I found

  I don't know what that means.  The regex syntax is very well defined.
 The characters * and + have specific, documented, meanings.

> authorize {
> ...

  That all seems OK.

> However in the debug log it doesn't seem to macth any rules in authorisze and 

  For one, don't do "radiusd -Xx".  It's not necessary.  The docs say to
use "radiusd -X".  Please follow them.

> rad_recv: Access-Request packet from host port 45778, id=65, length=84
>         User-Name = ""
>         User-Password = "cisco"
>         NAS-IP-Address =
>         NAS-Port = 10
>         Message-Authenticator = 0xf253e291d588b17c3bb0e547c4993af8
> Wed Feb 12 12:57:55 2014 : Info: # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
> Wed Feb 12 12:57:55 2014 : Info: +group authorize {

  And read that.  Note there's no reference to the server processing an
"if" section.

  So... whatever file you're editing, it's not the one used by the server.

  It's no surprise that your changes don't work.  They're not being used
at all.

  This is why you should read the debug output.  It looks impressive,
but it's not hard.  You have an "if" in the "authorize" section?  You'll
see an "if" in the debug output.  It's that simple.

  Alan DeKok.

More information about the Freeradius-Users mailing list