On 26 Sep 2011, at 17:27, andreapepa wrote:
> http://freeradius.1045715.n5.nabble.com/file/n4841780/putty4.log putty4.log
>
> In the attached file the complete log, didn't noticed before that the
> process was so long..
A notfound return code in the authorize section means continue with a priority
of 1.
The EAP module runs after the SQL module and returns handled. A handled return
code in the authorize section means return and so the notfound return code is
never processed.
If you want the server to stop processing the request if the user isn't found
in the SQL database, rewrite the notfound return code to reject.
sql {
notfound = reject
}
Unfortunately there's no way to signal the EAP module to send an EAP fail, so
you have to do it manually...
Add the following to policy.conf
policy {
eap_failure {
if(EAP-Message =~ /^..([0-9a-f]{2})/i){
update reply {
EAP-Message := "0x04%{1}0004"
}
}
}
...
}
The add a call in
post-auth {
post-auth-type REJECT {
eap_failure
}
}
That rewrites the EAP message returned with the reject to be a 'fail' with the
correct ID field value. Extremely hacky, but it works, and is the only way to
do it currently...
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
