Ok. I was just assuming that the FreeRadius Wiki was an authoritative
source, and if it's written there, there must be something I just wasn't
understanding that required it to be that way. When I get something
working correctly, shall I register for an account and update your wiki
page accordingly (once MySQL is working again)?
-Jason
Alan DeKok wrote:
Jason Antman wrote:
And in post-auth{}:
### snip ###
if(control:Auth-Type == 'CSID'){
# Authorization happens here
authorized_macs.authorize
if(!ok){
reject
Uh... why? If the user is authenticated, you shouldn't be rejecting him.
If I put a "sql" line before this, it always logs with Access-Accept,
since that's what authenticate{} ALWAYS returns, and the sql module is
being called before . If I put a "sql" line after this, it never gets
executed for "reject" statements...
Because you're doing it wrong. The whole point of accepting the user
is that you *don't* reject them.
Change your rules to reject the user *before* they're accepted. The
logging will then behave as you expect. It doesn't behave as you expect
now, because you're rejecting them after you've accepted them. That
makes no sense.
Why is the authorize statement in the post-auth { } section? That seems
to be the cause of these problems...
So move it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
