how to deny access based on realm

[Dave Mason]

Hi,
I checked the FAQ and comments in the users file, and thought I had 
this, but I gave it a shot and it didnt work.  I need to reject any user 
who tries to authenticate from a particular realm, then if it's OK use 
EAP.  I added this to the users file:

-----------------------
DEFAULT         Realm == "badrealm.com", Auth-Type := Reject
               Reply-Message = "This realm is not supported."
DEFAULT         Auth-Type := EAP
------------------------
However when I send Access-Request for "[EMAIL PROTECTED]" it gets past 
this line and starts the auth process.  Am I missing something?  I turn 
on eap in the authorize section.  Maybe I dont really need the DEFAULT 
Auth-Type := EAP line but it makes life simple.  I'll add the trace below.

Also, it may be preferrable to define a group of bad realms somewhere, 
rather than list them all separately here.  I saw the example that looks 
like this:
DEFAULT        Group == "disabled", Auth-Type := Reject
Where do you define the group?

Here's the trace:
rad_recv: Access-Request packet from host 127.0.0.1:32768, id=53, length=85
Thread 1 assigned request 0
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4
Waking up in 5 seconds...
Thread 1 handling request 0, (1 handled so far)
   User-Name = "[EMAIL PROTECTED]"
   Message-Authenticator = 0x09d10d402d5ad1c98c60e4081f729884
   EAP-Message = 0x020100180165617075736572407472616e7361742e636f6d
modcall: entering group authorize
 modcall[authorize]: module "preprocess" returns ok
 modcall[authorize]: module "eap" returns updated
   rlm_realm: Looking up realm badrealm.com for User-Name = 
"[EMAIL PROTECTED]"
   rlm_realm: No such realm badrealm.com
 modcall[authorize]: module "suffix" returns noop
   users: Matched DEFAULT at 194   <--- this is the DEFAULT Auth-Type 
:= EAP
 modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
 rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: processing type sim
rlm_eap_sim: Issuing EAP-Request/SIM/Start for [EMAIL PROTECTED]
 modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Sending Access-Challenge of id 53 to 127.0.0.1:32768
   EAP-Message = 0x01020014120a00000f020002000100000a010000
   Message-Authenticator = 0x00000000000000000000000000000000
   State = "state1"
Finished request 0

Regards,
Dave


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html