On Mon, 07 Jun 2004 16:36:53 +1000 "Paul Hampson" <[EMAIL PROTECTED]> wrote:
> jesk writes: > > > On Mon, 7 Jun 2004 05:26:11 +1000 > > [EMAIL PROTECTED] (Paul Hampson) wrote: > > >> On Sat, Jun 05, 2004 at 10:51:38PM +0200, jesk wrote: > >> > hello, > >> > > >> > im having problems in understanding, how freeradius differentiate > >between > > replyitems, which are replied everytime not matter about > >successful > > authentication like the Attribute "Reply-Message" and > >Attributes, which are > > only replied if the authentication is > >successful.> > im asking this for integrating "Cisco AV-Pairs" > >correctly as ReplyItems, which > > should be only replied if the > >authentication is successful. at the moment > > they are replied > >every time, whether if the supplied User-Password is correct > > or > >not. > > >> Why not add the reply-items in post-auth, with the Post-Auth-Type > >not> being Reject? That's how rlm_ippool is used, for example, so > >that you> don't assign IPs to rejected clients. > > > can you explain me a little bit more detailed how to accomplish this > > and why some attributes are replied and some others not when the > > authentication fails in cause of wrong password for example? > > Well, I could be wrong but I assume at this point that reply-items > added during authorization will always be sent, and reply-items added > during authentication will only be sent if authentication succeeds. > The trick to be careful of is that SQL's reply-items are added during > authorization, not authentication so that may not be the best time to > add reply items which you don't want to send on rejection. > > Unless post-auth-query lets you return reply-items (and I don't think > it does, off hand) you may need to put together an rlm_exec to fetch > the rows you want to send, and call that during post-auth with a > Post-Auth-Type Accept block or similar. (There should be examples in > the config file and docs.) > > If you're not using SQL but using rlm_files, then I don't know why > reply attributes attached to a failed entry in the users file are > coming through, unless they were added by a previous entry which fell > through? > > -- > Paul "TBBle" Hampson, on a webmail client! > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > hi, yes you are right iam using mysql for authorization and authentication. i will try it with the post-auth to become this working, i hope this is feasible. maybe someone can attach a simple example of how to do this. maybe there is another easier way to to this?! thanks for any further hints! best regards, christian Mit freundlichen Gr��en Christian Meutes systems engineer -- claranet gmbh internet service provider tel +49 (0) 69 - 40 80 18 - 300 email: [EMAIL PROTECTED] http://www.claranet.de/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
