Update_Control and Update_Reply in Post-Auth-Type = Reject

Alan DeKok aland at deployingradius.com
Mon Feb 8 16:52:24 CET 2021


On Feb 8, 2021, at 9:26 AM, Aurélio de Souza Ribeiro Neto <netolistas at mpc.com.br> wrote:
>     I want to Update_Control and Update_Reply for rejected users (not in my database).
> 
>     My Users are coming from PAP Authentication method.
> 
>     If the users are not in my Database, I want to give an IP from a specific Pool to this users.

  Then you have to turn a reject into accept.  You can't assign IPs in an Access-Reject packet.

  And the server can't turn an Access-Reject into an Access-Accept.  You have to catch the error earlier in the process.

>     I did this in my default file in Post-Auth-Type REJECT session but this settings are not Working
> 
>         Post-Auth-Type REJECT {
> ...
>                 update control {
>                  Pool-Name := "mkt_pool"
>                 }
> 
>                 update reply {
>                  Mikrotik-Rate-Limit := "2M/2M"
>                  Framed-IP-Address !* ANY
>                 }

  None of that runs the IP pool module to assign IPs.

>         Take a Look in my DEBUG output:

  Yes!

> Ready to process requests
> ...
> (0)     [sql] = notfound

  That's the key.  Note also that the user *isn't* being rejected.  The user is unknown!

>     How can I solve this?

  In the "authorize" section, check for users who are not found:

authorize {
	...
	sql
	if (notfound) {
		... assign users from a different pool ...
		accept # force authentication to succeed
	}
	...
}

  That should work.

  Alan DeKok.




More information about the Freeradius-Users mailing list