Thomas Jalsovsky <[EMAIL PROTECTED]> wrote: > Sorry, I'm confusing. > radiusd.c > /* > * Authentication REJECT's can have only > * EAP-Message, Message-Authenticator > * Reply-Message and Proxy-State. > * > * We delete everything other than these. > * Proxy-State is added below, just before the > * reply is sent. > */
Yes, and look at the code just below that. It moves over Vendor-Specific, too. > request->reply->code = PW_AUTHENTICATION_REJECT; > pairfree(&request->reply->vps); > tmp = pairmake("Reply-Message", user_msg, T_OP_SET); > request->reply->vps = tmp; Hmm... that would appear to be a bug. The authentication code SHOULD NOT play with the attributes. It should leave that to the main code. > So, if my perl script returns non-zero value (I reject the user), the > radius server sends back PW_AUTHENTICATION_REJECT with only one attribut: > Reply-Message. Where are the mentioned VSAs? That's a problem. I'll see if I can fix it today or tomorrow. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html