Respond with access-accept when password incorrect
Steven Walters
steven.walters1 at gmail.com
Thu Feb 9 08:25:06 UTC 2023
Thanks for the response Alan. I tested it and it worked. Just made a small
change as below to apply the accept to guest account only.
I just would like to understand why (purpose) one needs to set 'reject=1'?
If I remove the statement the policy doesn't work.
Auth-Type PAP {
pap{
reject=1
}
if (reject && User-Name == "guest") {
accept
}
}
Thanks
Steven
On Wed, 8 Feb 2023 at 14:00, <freeradius-users-request at lists.freeradius.org>
wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: kqueue support (work vlpl)
> 2. Re: kqueue support (Alan DeKok)
> 3. Respond with access-accept when password incorrect
> (Steven Walters)
> 4. Re: Respond with access-accept when password incorrect
> (Alan DeKok)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 7 Feb 2023 14:01:58 +0100
> From: work vlpl <thework.vlpl at gmail.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: kqueue support
> Message-ID:
> <
> CAPt3fZjsrb3hGzMLd5+WcOsBpmwF9oskA2p5QEu9K_1PjGz18w at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> On Mon, 6 Feb 2023 at 22:05, Matthew Newton via Freeradius-Users
> <freeradius-users at lists.freeradius.org> wrote:
>
> >
> > You don't need kqueue for FreeRADIUS < v4, so there is no need to build
> it.
>
> I am confused a bit, I know I don't need kqueue to compile versions
> 3.0.x and 3.2.x. But can I compile it? I want to try to use kqueue
> instead of select.
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 7 Feb 2023 08:07:01 -0500
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: kqueue support
> Message-ID: <0CC83890-26F3-4C42-A3A4-A95A55FF6591 at deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Feb 7, 2023, at 8:01 AM, work vlpl <thework.vlpl at gmail.com> wrote:
> > I am confused a bit, I know I don't need kqueue to compile versions
> > 3.0.x and 3.2.x. But can I compile it? I want to try to use kqueue
> > instead of select.
>
> You have the source code. Go look. It's how everyone else learned.
>
> If you don't have time to understand the source code, then there's no
> point in trying to switch FreeRADIUS to use kqueue.
>
> This list is for people using FreeRADIUS, not for people learning how
> kqueue works.
>
> Alan DeKok.
>
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 7 Feb 2023 23:01:58 +0200
> From: Steven Walters <steven.walters1 at gmail.com>
> To: freeradius-users at lists.freeradius.org
> Subject: Respond with access-accept when password incorrect
> Message-ID:
> <CALF=EMLEFyzGukeZRb45=X86=
> VdrRUkBZPzT7cDhWW4tTk5XYQ at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi
>
> We have guest broadband user accounts. I would like RADIUS to respond with
> access-accept on PAP even if the password is incorrect. I will then write
> to the database to indicate the session has an incorrect password and allow
> the PPPoE to connect to the internet.
>
> This will allow the agent to access the CPE to update the password.
>
> What is the best way to achieve this, that is to respond with an
> authentication success even if the password is incorrect for a specific
> username?
>
> Regards
> Steven
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 7 Feb 2023 16:13:52 -0500
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Respond with access-accept when password incorrect
> Message-ID: <1D55996B-2930-483F-9535-0D05C7CE8A84 at deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Feb 7, 2023, at 4:01 PM, Steven Walters <steven.walters1 at gmail.com>
> wrote:
> >
> > We have guest broadband user accounts. I would like RADIUS to respond
> with
> > access-accept on PAP even if the password is incorrect. I will then write
> > to the database to indicate the session has an incorrect password and
> allow
> > the PPPoE to connect to the internet.
> >
> > This will allow the agent to access the CPE to update the password.
> >
> > What is the best way to achieve this, that is to respond with an
> > authentication success even if the password is incorrect for a specific
> > username?
>
> You can just use the "accept" policy:
>
> authorize {
> ...
> accept
> }
>
> And it will accept the user.
>
> If you're actually checking passwords, it will have to be a bit
> different:
>
> authenticate {
> ...
> Auth-Type pap {
> pap {
> reject = 1
> }
>
> if (reject) {
> accept
> }
>
> }
>
> }
>
> Though I would strongly recommend putting these users into a limited
> VLAN. They should have access to update the password, but shouldn't be
> allowed to connect to the internet.
>
> Alan DeKok.
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 214, Issue 6
> ************************************************
>
--
Warm Regards
Steven Walters
0814287179
More information about the Freeradius-Users
mailing list