On Thu, Mar 28, 2002 at 11:56:32PM -0500, Alan DeKok wrote:
> Fduch the Pravking <[EMAIL PROTECTED]> wrote:
> > We have freeradius-0.5 doing only proxy.
> > And the problem is:
> > when radius receives Access-Reject packet from remote server,
> > it proxies it back to the NAS without any attributes,
> > Reply-Message in particular.
>
> Read the RFC's. That's how RADIUS is *supposed* to work.
I've found nothing in RFC 2865 about any restrictions
for Access-Reject but this:
If any condition is not met, the RADIUS server sends an "Access-
Reject" response indicating that this user request is invalid. If
desired, the server MAY include a text message in the Access-Reject
which MAY be displayed by the client to the user. No other
Attributes (except Proxy-State) are permitted in an Access-Reject.
So, Reply-Message MAY be present in Access-Reject,
and it is PRESENT in the packet from remote server,
but is not being sent back to NAS by this proxy radius.
Correct me if I wrong, please.
Here is a bug, I think, and it comes from delaying
the Access-Reject:
On Thu, Mar 28, 2002 at 09:42:48AM -0600, Chris Parker wrote:
> At 06:18 PM 3/28/2002 +0300, Fduch the Pravking wrote:
> >And what does "Delaying request 91752 for 1 seconds" mean?
>
> It's a throttling feature. Some radius clients can cause what amounts
> to a DOS by repeatedly requesting authentication for failed users. IE,
> user gets rejected, nas sends another request, user gets rejected, nas
> sends another request. This was for a PPPoE/DSL authetication, so it
> was instantaneous. A configurable delay before sending the Reject
> back to the NAS allows the server to effectively throttle the rate at
> which that type of NAS can hammer it with requests. If you set it to
> zero, it disables the delay all-together.
>
> This is in the 'security' section of the 'radiusd.conf' file.
Sorry, Chris, I'm slightly blind :)
When I set reject_delay = 0 in the security section of radiusd.conf,
the same Access-Request packet shows the following:
% radtest sltest bad_passwd localhost:1645 3 testing123
Sending Access-Request of id 68 to 127.0.0.1:1645
User-Name = "sltest"
User-Password = "U\356~\271\354X\213<bcV\301\032/V\\"
NAS-IP-Address = dyatel.antar.bryansk.ru
NAS-Port-Id = "3"
rad_recv: Access-Reject packet from host 127.0.0.1:1645, id=68, length=46
Reply-Message = "Authentication failure\r\n"
So, if the reject_delay = 0, radius sends the Reply-Message
in Access-Reject back to the NAS,
and if reject_delay = 1, does not.
Or, maybe it's a feature?
Thanks for your comments.
--
Fduch M. Pravking
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
