As per my ramblings below, I ran the server in debug level 3, and one can see that it is the correct DEFAULT entry that it is picking up :
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1820, id=80, length=139 Framed-Protocol = PPP User-Name = "[EMAIL PROTECTED]" User-Password = "TestUser" NAS-Port-Type = Virtual NAS-Port = 1234567890 NAS-Port-Id = "1/1/1/1.1" Connect-Info = "AutoShapedVC" Service-Type = Framed-User NAS-IP-Address = xxx.xxx.xxx.xxx Proxy-State = 0x3439 Fri May 18 13:39:07 2007 : Debug: Processing the authorize section of radiusd.conf Fri May 18 13:39:07 2007 : Debug: modcall: entering group authorize for request 21 Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 21 Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 21 Fri May 18 13:39:07 2007 : Debug: modcall[authorize]: module "preprocess" returns ok for request 21 Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 21 Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 21 Fri May 18 13:39:07 2007 : Debug: modcall[authorize]: module "chap" returns noop for request 21 Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 21 Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 21 Fri May 18 13:39:07 2007 : Debug: modcall[authorize]: module "mschap" returns noop for request 21 Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 21 Fri May 18 13:39:07 2007 : Debug: rlm_realm: Looking up realm "realm.com" for User-Name = "[EMAIL PROTECTED]" Fri May 18 13:39:07 2007 : Debug: rlm_realm: No such realm "realm.com" Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 21 Fri May 18 13:39:07 2007 : Debug: modcall[authorize]: module "suffix" returns noop for request 21 Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 21 Fri May 18 13:39:07 2007 : Debug: rlm_eap: No EAP-Message, not doing EAP Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 21 Fri May 18 13:39:07 2007 : Debug: modcall[authorize]: module "eap" returns noop for request 21 Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: calling files (rlm_files) for request 21 *Fri May 18 13:39:07 2007 : Debug: users: Matched entry DEFAULT at line 54* Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 21 Fri May 18 13:39:07 2007 : Debug: modcall[authorize]: module "files" returns ok for request 21 Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: calling exec-radauth (rlm_exec) for request 21 Fri May 18 13:39:07 2007 : Debug: radius_xlat: 'u:[EMAIL PROTECTED]' Fri May 18 13:39:07 2007 : Debug: radius_xlat: 'p:TestUser' Fri May 18 13:39:07 2007 : Debug: radius_xlat: 'n:1234567890' Fri May 18 13:39:07 2007 : Debug: radius_xlat: 't:Virtual' Fri May 18 13:39:07 2007 : Debug: Exec-Program output: Fri May 18 13:39:07 2007 : Debug: Exec-Program: returned: 1 Fri May 18 13:39:07 2007 : Error: rlm_exec (exec-radauth): External script failed Fri May 18 13:39:07 2007 : Debug: modsingle[authorize]: returned from exec-radauth (rlm_exec) for request 21 Fri May 18 13:39:07 2007 : Debug: modcall[authorize]: module "exec-radauth" returns fail for request 21 Fri May 18 13:39:07 2007 : Debug: modcall: leaving group authorize (returns fail) for request 21 Fri May 18 13:39:07 2007 : Debug: Finished request 21 Fri May 18 13:39:07 2007 : Debug: Going to the next request Fri May 18 13:39:07 2007 : Debug: --- Walking the entire request list --- Fri May 18 13:39:07 2007 : Debug: Waking up in 3 seconds... Line 54 of my users file contains : DEFAULT Auth-Type = Accept I dont know if that helps at all, but this one has me well and truly stumped... :~[ Patrick Patric wrote: > [EMAIL PROTECTED] wrote: >> you have various other attributes in your real production system - perhaps >> you have matching DEFAULT values (eg in users file) which are aiding the >> access accept? > > If that were the case, then wouldnt this eliminate the problem: > > My radiusd.conf authorize section contains only this : > > authorize { > files > exec-radauth > } > > My users file contains only this : > > DEFAULT Auth-Type = Accept > > > If I understand it correctly this would mean that the only > authentication done is by my script. > I did the above on the production server, but I am still not returning > an access-reject... > > I have now also upgrading freeradius on the production server to 1.1.6, > also with the same result - no access-reject returned... > > I am now at a loss as to where else to look, but I suspect its some kind > of config setting. Where? I dont know :[ > > Thanks guys > Patrick > > ---------------------------------------------------------------------- > Get a free email address with REAL anti-spam protection. > http://www.bluebottle.com > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > ---------------------------------------------------------------------- Find out how you can get spam free email. http://www.bluebottle.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html