Update Reply returns noop

Anastasios Gryponisiotis plant7 at gmail.com
Mon Jul 25 13:01:39 CEST 2016 

I am trying to accept and add a custom reply to a check based on
NAS-Identifier and Realm,

I have added this to the post-auth section of sites-enabled/default

Q+++
if ("%{reply:NAS-Identifier}" =~ /VPN-/) {
if ("%{reply:NAS-Identifier}" == "%{reply:Realm}") {
update reply {
Reply-Message += "VPN Access Granted"
}
}
}
++++Q

This appears to evaluated correctly, however the update reply module always
returns noop:

Q++++
++? if ("%{reply:NAS-Identifier}" =~ /VPN-/)
        expand: %{reply:NAS-Identifier} -> VPN-SITE1
? Evaluating ("%{reply:NAS-Identifier}" =~ /VPN-/) -> TRUE
++? if ("%{reply:NAS-Identifier}" =~ /VPN-/) -> TRUE
++- entering if ("%{reply:NAS-Identifier}" =~ /VPN-/) {...}
+++? if ("%{reply:NAS-Identifier}" == "%{reply:Realm}")
        expand: %{reply:NAS-Identifier} -> VPN-SITE1
        expand: %{reply:Realm} -> VPN-SITE1
? Evaluating ("%{reply:NAS-Identifier}" == "%{reply:Realm}") -> TRUE
+++? if ("%{reply:NAS-Identifier}" == "%{reply:Realm}") -> TRUE
+++- entering if ("%{reply:NAS-Identifier}" == "%{reply:Realm}") {...}
++++[reply] returns noop
+++- if ("%{reply:NAS-Identifier}" == "%{reply:Realm}") returns noop
++++Q

If I add a "reject" to the if, like so:

Q++++
if ("%{reply:NAS-Identifier}" =~ /VPN-/) {
if ("%{reply:NAS-Identifier}" == "%{reply:Realm}") {
update reply {
Reply-Message += "VPN Access Granted"
}
        reject
}
}
++++Q

Then the debug log stil returns noop but somehow manages to update the
reply:

Q++++
++? if ("%{reply:NAS-Identifier}" =~ /VPN-/)
        expand: %{reply:NAS-Identifier} -> VPN-SITE1
? Evaluating ("%{reply:NAS-Identifier}" =~ /VPN-/) -> TRUE
++? if ("%{reply:NAS-Identifier}" =~ /VPN-/) -> TRUE
++- entering if ("%{reply:NAS-Identifier}" =~ /VPN-/) {...}
+++? if ("%{reply:NAS-Identifier}" == "%{reply:Realm}")
        expand: %{reply:NAS-Identifier} -> VPN-SITE1
        expand: %{reply:Realm} -> VPN-SITE1
? Evaluating ("%{reply:NAS-Identifier}" == "%{reply:Realm}") -> TRUE
+++? if ("%{reply:NAS-Identifier}" == "%{reply:Realm}") -> TRUE
+++- entering if ("%{reply:NAS-Identifier}" == "%{reply:Realm}") {...}
++++[reply] returns noop
++++[reject] returns reject
.
.
.
Sending Access-Reject of id 25 to 192.168.4.1 port 59028
        Reply-Message = "VPN Access Granted"
++++Q

Can someone help me undestand what I am doing wrong?

datablitz

More information about the Freeradius-Users mailing list