Hi, I went a bit further. Seems like tcpdump was only capturing the first 96 bytes of packets, so I used tcpdump -s 0 and came to the surprise that freeradius is actually sending an Access-Reject packet with 2 Reply-Message attributes.
The first Reply-Message attribute in the packets contains the output from the external script. The second Reply-Message attribute in the packets contains "login denied (external check failed)" So the NAS is just taking the last Reply-Message attribute of the packet to display to the user. Any way to tell freeradius only to send the output from the external script? Thanx, Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
