I think Phil's diagnosis is correct; 'Auth-Type := Reject' requires the ':=' operator to reject a CHAP authentication.
Unfortunately, it's not always easy to place a live production system in debug mode, hence the initial "is this something stupid" question :) (And apologies for the lack of a subject line in the original post). Cheers, Matt -----Original Message----- Date: Fri, 24 May 2013 17:31:29 +0100 From: Phil Mayers <p.may...@imperial.ac.uk> To: freeradius-users@lists.freeradius.org Subject: Re: Auth-Type = Reject not being obeyed Message-ID: <519f95e1.6010...@imperial.ac.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 24/05/13 17:19, Alan Buxey wrote: > The only difference I can see is that the first example uses a > plain-text password, and the RADIUS on the LNS is using CHAP? > > The backend database has "=" in the 'op' field (and not ":="), so the > returned attribute is "Auth-Type = Reject" and not "Auth-Type := > Reject", but it is correctly rejected using radtest/radclient, and I > believe the "=" operand to be correct. You might have this: authorize { ... chap sql ... } ..and Auth-Type is already set by chap, hence "=" doesn't overwrite it. Anyway, you're not correct that "=" is the right operator; ":=" means "force" i.e. set this attribute to this value, always, and that's what you want to do here, right? "=" means "set if unset" As has also been pointed out - show "radiusd -X" for a problem auth (and set a subject line...) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html