On Mon, 7 Jun 2004 05:26:11 +1000 [EMAIL PROTECTED] (Paul Hampson) wrote:
On Sat, Jun 05, 2004 at 10:51:38PM +0200, jesk wrote:
> hello,
> > im having problems in understanding, how freeradius differentiate between > replyitems, which are replied everytime not matter about successful > authentication like the Attribute "Reply-Message" and Attributes, which are > only replied if the authentication is successful.
> im asking this for integrating "Cisco AV-Pairs" correctly as ReplyItems, which > should be only replied if the authentication is successful. at the moment > they are replied every time, whether if the supplied User-Password is correct > or not.
Why not add the reply-items in post-auth, with the Post-Auth-Type not being Reject? That's how rlm_ippool is used, for example, so that you don't assign IPs to rejected clients.
can you explain me a little bit more detailed how to accomplish this and why some attributes are replied and some others not when the authentication
fails in cause of wrong password for example?
Well, I could be wrong but I assume at this point that reply-items added
during authorization will always be sent, and reply-items added during
authentication will only be sent if authentication succeeds. The trick to
be careful of is that SQL's reply-items are added during authorization,
not authentication so that may not be the best time to add reply items
which you don't want to send on rejection.
Unless post-auth-query lets you return reply-items (and I don't think it
does, off hand) you may need to put together an rlm_exec to fetch the rows
you want to send, and call that during post-auth with a Post-Auth-Type Accept block or similar. (There should be examples in the config file and
docs.)
If you're not using SQL but using rlm_files, then I don't know why reply
attributes attached to a failed entry in the users file are coming through, unless they were added by a previous entry which fell through?
--
Paul "TBBle" Hampson, on a webmail client!
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
