VSA attributes sent with Access-Reject response
Contact (COEXSI)
contact at coexsi.fr
Fri May 16 22:26:44 CEST 2014
> Contact (COEXSI) wrote:
> > For filtering the Access-Challenge response when doing EAP, I've these
> > lines
> > (commented) in the default configuration:
> >
> > # Auth-Type eap {
> > # eap {
> > # handled = 1
> > # }
> > # if (handled && (Response-Packet-Type == Access-Challenge)) {
> > # attr_filter.access_challenge.post-auth
> > # handled # override the "updated" code from
> > attr_filter
> > # }
> > # }
> >
> > When uncommenting them, I've a configuration parsing error:
> >
> > Failed to find "handled" in the "modules" section.
>
> Because you edited the configuration, and removed "always" from
> raddb/modules. It has the definition for "handled".
>
Yes, we had removed the "always" module as we didn't think it was for
production purpose.
At the beginning of its configuration file, we can read it's used for
debugging:
# The "always" module is here for debugging purposes. Each
# instance simply returns the same result, always, without
# doing anything.
After adding the "always" module, the configuration is parsed without error.
But, the VSA are still sent along with the EAP-MD5 Access-Challenge
response!
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list