On Thu, Mar 28, 2002 at 11:56:32PM -0500, Alan DeKok wrote: > Fduch the Pravking <[EMAIL PROTECTED]> wrote: > > We have freeradius-0.5 doing only proxy. > > And the problem is: > > when radius receives Access-Reject packet from remote server, > > it proxies it back to the NAS without any attributes, > > Reply-Message in particular. > > Read the RFC's. That's how RADIUS is *supposed* to work.
I've found nothing in RFC 2865 about any restrictions for Access-Reject but this: If any condition is not met, the RADIUS server sends an "Access- Reject" response indicating that this user request is invalid. If desired, the server MAY include a text message in the Access-Reject which MAY be displayed by the client to the user. No other Attributes (except Proxy-State) are permitted in an Access-Reject. So, Reply-Message MAY be present in Access-Reject, and it is PRESENT in the packet from remote server, but is not being sent back to NAS by this proxy radius. Correct me if I wrong, please. Here is a bug, I think, and it comes from delaying the Access-Reject: On Thu, Mar 28, 2002 at 09:42:48AM -0600, Chris Parker wrote: > At 06:18 PM 3/28/2002 +0300, Fduch the Pravking wrote: > >And what does "Delaying request 91752 for 1 seconds" mean? > > It's a throttling feature. Some radius clients can cause what amounts > to a DOS by repeatedly requesting authentication for failed users. IE, > user gets rejected, nas sends another request, user gets rejected, nas > sends another request. This was for a PPPoE/DSL authetication, so it > was instantaneous. A configurable delay before sending the Reject > back to the NAS allows the server to effectively throttle the rate at > which that type of NAS can hammer it with requests. If you set it to > zero, it disables the delay all-together. > > This is in the 'security' section of the 'radiusd.conf' file. Sorry, Chris, I'm slightly blind :) When I set reject_delay = 0 in the security section of radiusd.conf, the same Access-Request packet shows the following: % radtest sltest bad_passwd localhost:1645 3 testing123 Sending Access-Request of id 68 to 127.0.0.1:1645 User-Name = "sltest" User-Password = "U\356~\271\354X\213<bcV\301\032/V\\" NAS-IP-Address = dyatel.antar.bryansk.ru NAS-Port-Id = "3" rad_recv: Access-Reject packet from host 127.0.0.1:1645, id=68, length=46 Reply-Message = "Authentication failure\r\n" So, if the reject_delay = 0, radius sends the Reply-Message in Access-Reject back to the NAS, and if reject_delay = 1, does not. Or, maybe it's a feature? Thanks for your comments. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html