redirecting REJECTed users

Alan Batie alan at
Fri Feb 12 23:34:24 CET 2016

On 2/12/16 2:12 PM, Matthew Newton wrote:

> Auth-Type is an internal attribute. It's not sent back to the NAS.
> It should be 'Accept'.
> You need to send something else to your NAS to tell it to
> quarantine the user. For example it if is a switch you might set a
> different VLAN by sending back a different Tunnel-Private-Group-Id.

That's what specifying a different ip pool does - it then gives the user
a non-routable ip address (e.g. 10.99.x.x).  At the moment, the main
goal is keeping some misconfigured/suspended modems from spamming the
logfile (they retry at relatively high rates on rejection), but
eventually we'll use the mechanism to redirect users to a web site like
most wireless hotspots do.

More information about the Freeradius-Users mailing list