redirecting REJECTed users

Arran Cudbard-Bell a.cudbardb at
Sat Feb 13 00:20:39 CET 2016

> On 12 Feb 2016, at 14:34, Alan Batie <alan at> wrote:
> On 2/12/16 2:12 PM, Matthew Newton wrote:
>> Auth-Type is an internal attribute. It's not sent back to the NAS.
>> It should be 'Accept'.
>> You need to send something else to your NAS to tell it to
>> quarantine the user. For example it if is a switch you might set a
>> different VLAN by sending back a different Tunnel-Private-Group-Id.
> That's what specifying a different ip pool does - it then gives the user
> a non-routable ip address (e.g. 10.99.x.x).  At the moment, the main
> goal is keeping some misconfigured/suspended modems from spamming the
> logfile (they retry at relatively high rates on rejection), but
> eventually we'll use the mechanism to redirect users to a web site like
> most wireless hotspots do.

OK, then Matthew is correct.  Just do everything in perl.authorize.

The sections are mainly there as a basic framework.  If your perl module does all the work, of authorization/authentication, and is never going to reject users, you can just do

authorize {
	update control {
		Auth-Type := Accept

and omit the authenticate section entirely.

Sometimes it's better to ignore the standard progression of the server if what you're doing doesn't fit with the traditional AAA model.  FreeRADIUS is pretty flexible in what it allows.  There's almost always a way to alter the standard behaviour of the server at any given point, you just need to figure out what it is ;)


Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the Freeradius-Users mailing list