Update Reply returns noop

Mon Jul 25 17:33:01 CEST 2016

On Jul 25, 2016, at 11:04 AM, Anastasios Gryponisiotis <plant7 at gmail.com> wrote:
> 
> What I am trying to achieve, and have so far been sucesfull, is to have
> groups of users and NAS groups (using regex). I then use unlang to create
> conditionals in order to accept/reject/update reply items accordingly.
> 
> I use this to specify different access levels using Cisco-AV-Pair values
> and to allow users of some groups to access some NASes and not others. This
> is all running in post_auth and works fine.

  That's all fine.

> Anything that is not matching withing the if conditionals is trickled down
> to a "catch-all" else that rejects the request.

  Which means doing something like:

	if (a) {
	}
	elsif (b) {
	}
	elsif (c) {
	}
	else {
		reject
	}

  That isn't what you've configured.  You have a bunch of unrelated "if" statements.

> Now I want some of these users to also be able to access VPNs to specific
> sites. So I am trying to use a Reply item of "Realm" to match the
> NAS-Identifier of the VPN endpoints. Unfortunately, even though the
> conditional matched this, it returns noop, therefore evaluation is
> continuing to match another conditional, until it is rejected  by the
> "catch-all"
> else statement at the end.

  Do NOT rely on module return codes in order to see whether or not an "if" condition matched.  Instead, use "if", "elsif", and "else".

  Alan DeKok.