How to Terminate inner-tunnel Execution after Reject?

Alan DeKok aland at
Sat Nov 28 16:34:29 CET 2020

On Nov 28, 2020, at 12:23 AM, Mike Ruebner <freeradius at> wrote:
> I am rejecting PEAP requests from specific AVPs in my inner-tunnel 'authorize' section. That's pretty much it, but those rejects still hit 'post-auth', where I have to specifically exclude them from a lockout counter. Is there a way to, for lack of better words, gracefully 'exit' inner-tunnel from my PEAP-reject module? Meaning, no execution of sections further down the food chain (ie., authenticate, post-auth).

  There's no way to stop that state machine.  But, once you reject a user, it skips the "authenticate" section. And, runs the "Post-Auth-Type Reject" sub-section of "post-auth".

  You might need to upgrade.  In some older versions it didn't run "Post-Auth-Type Reject" in the inner tunnel.

  Alan DeKok.

More information about the Freeradius-Users mailing list