attribute checking in the session REJECT

[Alan DeKok]

On Sep 11, 2025, at 1:44 AM, Can Paçacı <pacaci at servisnet.com.tr> wrote:
> 
> Sorry I couldn't explain  clearly.  I listed the things I wanted to do during the checks on the auth access package as follows:
> 
> In the Received Access-Request,
>      -In the normal conditions check User-Name, User-Password and NAS-Identifier and write the appropriate Reply-Message to the return package.
>      -In cases where NAS-Identifier is not defined in the radcheck table only check the User-Name and User-Password and write the appropriate Reply-Message to the return package.

  But the server does that already.

  If you list a User-Name, User-Password, and NAS-Identifier in radcheck, they will all be used.  If you only list a User-Name and User-Password in radcheck, it will only use / check those.

  Perhaps you're looking to catch the situation where a user has a correct name / password, but is using the wrong NAS.  For that situation, you don't need to do anything.  Just list the right NAS-Identifier in radcheck.  Then, if the user logs into a different NAS, it won't match.  Since that entry didn't match, the User-Password won't be added.  And the user will be rejected.

  Alan DeKok.