Auth failed accounts and write to SQL database

Matthew Newton mcn at
Wed Mar 15 09:38:01 UTC 2023

On 15/03/2023 06:21, Steven Walters wrote:
> I am not sure what I am trying dp=o is possible but lets try.

Most things are possible...

> I have the following statement  under authenticate to accept "guest" users
> even if the password is correct.
>          Auth-Type PAP {
>                  pap{
>                      reject=1
>                  }
>                  if (reject && (User-Name == "guest")) {
>                      accept
>                  }
>          }

Don't do it in authenticate{}. Update authorize{} instead.

if (&User-Name == "guest") {
   update control {
     &Auth-Type := Accept

> Under post-auth I write failed requests to postauth_table.  In the case of
> a "guest" user's password being incorrect, it will accept the
> authentication and not write the record to the postauth_table.

OK. Though it should write to radpostauth for all authentications, 
unless you've commented "sql" out of the "Post-Auth-Type REJECT" section.

> What I require is that in the case of the password being incorrect for a
> "guest" user, I need to accept the request but write a record to the
> postauth_table (reply field)  as access-reject. This is that we have a
> record of access-rejects for "guest" users but still allow them to connect
> with limited connectivity.

Hmm, OK. Confusing as your records will show someone wasn't allowed on, 
but actually they were. I'm not sure why you would want to do this - you 
already know that any authentications with username "guest" are 
permitted because of a different criteria from other users, so you can 
just query the database on that basis.

> I thought of using a variable, like below, to write the value to the reply
> field in the postauth_table but it seems one can't do much under Auth-Type
> PAP.

No, don't do this sort of thing in authenticate{}.

The clearest is probably to add a new Auth-Type column to the 
radpostauth table, then update the query to include 
'%{control:Auth-Type}' as well, then you'll see "pap" or "accept", which 
makes it much clearer what happened.

Otherwise if you really want to log an "incorrect" value you could add 
something like this to the above "update" section

if (&User-Name == "guest") {
   update control {
     &Auth-Type := Accept
     &Tmp-String-1 := "Access-Reject"

Then update the postauth query to log


instead of just


i.e. if the Tmp-String-1 attribute is set, log that, otherwise log 
reply:Packet-Type as usual.

I would just add a new column and be entirely clear about it, though.


More information about the Freeradius-Users mailing list