Alan, thank you very much for your reply. Sorry if my reply breaks message threading for you - I am replying based on the web-archive as I don't receive this list by email.
Alan DeKok wrote: > Andriy Gapon <avg at icyb.net.ua> wrote: >> Is there a way to force a silent drop of a packet instead of sending >> Access-Reject ? > > No. > >> On a somewhat related note: is there way to make FreeRADIUS server >> drop/reject all incoming packets without Message-Authenticator the same >> way it does this for packets with invalid/incorrect value in that >> attribute ? Preferably through configuration, without changes in code. > > $ man users > > DEFAULT Message-Authenticator !* 0x00, Auth-Type := Reject It seems that I was a little bit confused in my assumptions about dropping and rejecting. Do I understand correctly now that a packet is dropped only if rad_recv() returns NULL and in all other cases reply is sent ? If this is correct, then a packet is dropped only in two cases related to Message-Authenticator - (1) if length of this attribute is invalid; (2) if EAP-Message is present but Message-Authenticator is not. I think that it would be nice if list of such situations could be configurable and extensible. For example, there are some RADIUS-related solutions/drafts out there that require requests being silently dropped if they don't have Message-Authenticator or have incorrect value of Message-Authenticator. Neither can be done now with FreeRADIUS without modifying its source code. Please note that I am talking now only about dropping requests, not rejecting them. Rejecting is very easy as your example shows (thanks a lot for it!). Maybe the following would be good enhancements (if they are not too hard to implement): 1. have a configurable list of attributes that require Message-Authenticator (so that I could put Message-Digest there, for example, in addition to EAP-Message) 2. have a configuration knob that could tell "drop all incoming messages without Message-Authenticator" 3. do Message-Authenticator value validation in rad_recv() (this could be configurable too, defaulting to current behavior) Even more flexible would be a capability to silently drop packet in any (auth) module, but I think that it would require a lot of work. BTW, there is a bug report in FreeRADIUS bugzilla related to this (it's not mine): http://bugs.freeradius.org/show_bug.cgi?id=313 What do you think about such extensions ? Will code contributions be welcomed for them ? -- Andriy Gapon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html