RE: Access-Reject has no Reply-Message (2nd try)
From: $BLnB<(B $B7z(B (B Sent: Monday, 20 October 2003 6:35 PM (B (B I want my freeradius server to send Access-Reject packet with Reply-Message (B in it, (B so that NAS can alert user when authentication fails. But, it's not (B working so far. (B When authentication succeeds, my freeradius server sends Access-Accept (B packet (B with Reply-Message in it. But when authentication fails, it sends Access (B Reject packet (B with no Reply-Message in it.. (B (B So my question is why my freeradius doesn't include Reply-Message into (B Access-Reject (B packet, and how can I fix this problem? (B (B ---users (B [EMAIL PROTECTED] Auth-Type :=Local, User-Password == "secret" (B Service-Type = Framed-User, (B Framed-Protocol = PPP, (B Framed-IP-address = 192.168.200.1, (B Framed-IP-Netmask = 255.255.255.0, (B Session-Timeout = 30, (B Reply-Message="111", (B Reply-Message="222", (B Reply-Message="333", (B (B (BAs you've observed, this will only add a Reply-Message if the authentication (Bsucceeds. In the same way as it will only give an IP address or Session (BTimeout if it succeeds. (B (BAs for how to send a Reply-Message on failure, I dunno off hand. :-) (B (B-- (BPaul "TBBle" Hampson (BBubblesworth Pty Ltd (ABN: 51 095 284 361) (B[EMAIL PROTECTED] (B (BOn a sidewalk near Portland State (BUniversity someone wrote `Trust Jesus', and (Bsomeone else wrote `But Cut the Cards'. (B (B (B- (BList info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access-Reject has no Reply-Message
(BI want my freeradius to send Access-Reject packet with Reply-Message in it, (B (Bso that NAS can alert user in some fancy way when authentication fails. (BBut, it's not working so far. (BWhen authentication succeeds, my freeradius sends Access-Accept packet (Bwith Reply-Message in it, but this is not the way I want it to be. (B (BAccording to RFC, Access-Reject packet MAY contain Reply-Message. (BI have searched this ML, and found out that freeradius normally contain (BReply-Message in Access-Reject packet if Reply-Message is configured. (B (BSo my question is: (B Why my freeradius doesn't put Reply-Message into Access-Reject packet, and (Bhow can I fix this problem? (B (BI have attached some logs below. (BI really need help. (BAny information would be greatly appreciated. (B (B (BRegards, (BTakeru (B (B--- (B[version] (B[EMAIL PROTECTED] raddb]# radiusd -v (Bradiusd: FreeRADIUS Version 0.5, for host i686-redhat-linux-gnu, built on (BApr 4 (B 2002 at 04:33:11 (B (B (B[users] (B[EMAIL PROTECTED] Auth-Type :=Local, User-Password == "secret" (BService-Type = Framed-User, (BFramed-Protocol = PPP, (BFramed-IP-address = 192.168.200.1, (BFramed-IP-Netmask = 255.255.255.0, (BSession-Timeout = 30, (BReply-Message="111", (B (B (B[radius.conf] (B[EMAIL PROTECTED] raddb]# more radiusd.conf (B## (B## radiusd.conf -- FreeRADIUS server configuration file. (B## (B## http://www.freeradius.org/ (B## $Id: radiusd.conf.in,v 1.87 2002/03/14 18:47:06 aland Exp $ (B## (B (B# The location of other config files and (B# logfiles are declared in this file (B# (B# Also general configuration for modules can be done (B# in this file, it is exported through the API to (B# modules that ask for it. (B# (B# The configuration variables defined here are of the form ${foo} (B# They are local to this file, and do not change from request to (B# request. (B# (B# The per-request variables are of the form %{Attribute-Name}, and (B# are taken from the values of the attribute in the incoming (B# request. See 'doc/variables.txt' for more information. (B (B# Stuff from autoconf (Bprefix = /usr (Bexec_prefix = /usr (Bsysconfdir = /etc (Blocalstatedir = /var (Bsbindir = /usr/sbin (Blogdir = ${localstatedir}/log/radius (Braddbdir = ${sysconfdir}/raddb (Bradacctdir = ${logdir}/radacct (B (B# Location of config and logfiles. (Bconfdir = ${raddbdir} (Brun_dir = ${localstatedir}/run (B (B# (B# libdir: Where to find the rlm_* modules. (B# (B# This should be automatically set at configuration time. (B# (B# If the server builds and installs, but fails at execution time (B# with an 'undefined symbol' error, then you can use the libdir (B# directive to work around the problem. (B# (B# The cause is usually that a library has been installed on your (B# system in a place where the dynamic linker CANNOT find it. When (B# executing as root (or another user), your personal environment MAY (B# be set up to allow the dynamic linker to find the library. When (B# executing as a daemon, FreeRADIUS MAY NOT have the same (B# personalized configuration. (B# (B# To work around the problem, find out which library contains that (Bsymbol, (B# and add the directory containing that library to the end of 'libdir', (B# with a colon separating the directory names. NO spaces are allowed. (B# (B# e.g. libdir = /usr/local/lib:/opt/package/lib (B# (B# If that does not work, then you can re-configure and re-build the (B# server to NOT use shared libraries, via: (B# (B# ./configure --disable-shared (B# make (B# make install (B# (Blibdir = /usr/lib (B (B# pidfile: Where to place the PID of the RADIUS server. (B# (B# The server may be signalled while it's running by using this (B# file. (B# (B# This file is written when ONLY running in daemon mode. (B# (B# e.g.: kill -HUP `cat /var/run/radiusd.pid` (B# (Bpidfile = ${run_dir}/radiusd.pid (B (B (B# user/group: The name (or #number) of the user/group to run radiusd as. (B# (B# We STRONGLY recommend that you run the server with as few permissions (B# as possible. That is, if you're not using shadow passwords, the (B# user and group items below should be set to 'nobody'. (B# (B#On SCO (ODT 3) use "user = nouser" and "group = nogroup". (B# (B# NOTE that some kernels refuse to setgid(group) (B# when the value of (unsigned)group is above 6; (B# don't use group nobody on these systems! (B# (B# On systems with shadow passwords, you might have to set 'group = shadow' (B# for the server to be able to read the shadow password file. If you can (B# authenticate user
Re: Access-Reject has no Reply-Message
- Original Message - (BFrom: "$BLnB<(B $B7z(B" [EMAIL PROTECTED] (B I want my freeradius to send Access-Reject packet with Reply-Message in (Bit, (B (B so that NAS can alert user in some fancy way when authentication fails. (B But, it's not working so far. (B When authentication succeeds, my freeradius sends Access-Accept packet (B with Reply-Message in it, but this is not the way I want it to be. (B (B According to RFC, Access-Reject packet MAY contain Reply-Message. (B I have searched this ML, and found out that freeradius normally contain (B Reply-Message in Access-Reject packet if Reply-Message is configured. (B (B So my question is: (B Why my freeradius doesn't put Reply-Message into Access-Reject packet, (Band (B how can I fix this problem? (B (B I have attached some logs below. (B I really need help. (B Any information would be greatly appreciated. (B (BI have sent a patch for this, but probably it wasn't accepted. (BMaybe you now a better way to patch, so that it's accepted? (B (BHere's my patch, which works fine for my needs: (B--- src/main/auth.c.orig 2003-08-27 15:57:17.0 +0200 (B+++ src/main/auth.c 2003-08-27 16:02:34.0 +0200 (B@@ -805,15 +805,18 @@ (B * had a non-zero exit status. (B */ (Bif (umsg[0] == '\0') { (B-user_msg = "\r\nAccess denied (external check failed)."; (B+/* Don't tell NAS that auth failed by external check */ (B+user_msg = NULL; (B} else { (B user_msg = umsg[0]; (B} (B (Brequest-reply-code = PW_AUTHENTICATION_REJECT; (B- tmp = pairmake("Reply-Message", user_msg, T_OP_SET); (B- (B- pairadd(request-reply-vps, tmp); (B+ /* Only add reply-message when one is available */ (B+ if (user_msg != NULL) { (B+tmp = pairmake("Reply-Message", user_msg, T_OP_SET); (B+pairadd(request-reply-vps, tmp); (B+ } (Brad_authlog("Login incorrect (external check failed)", (B request, 0); (B (B (B (BThor. (B (B (B- (BList info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject has no Reply-Message
=?iso-2022-jp?B?GyRCTG5CPBsoQiAbJEI3ehsoQg==?= [EMAIL PROTECTED] wrote: According to RFC, Access-Reject packet MAY contain Reply-Message. I have searched this ML, and found out that freeradius normally contain Reply-Message in Access-Reject packet if Reply-Message is configured. Have you configured a Reply-Message? So my question is: Why my freeradius doesn't put Reply-Message into Access-Reject packet, and how can I fix this problem? I have attached some logs below. You attached 'radiusd.conf', not the output of 'radiusd -X', as requested in the FAQ and README's. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sending a access reject packets
Hi, how can i send a access reject packet or another possibility to disconnect user without using radius? Lets say with php, wher can i find some example or tip, also in other programming languages? -- --- Regards, Sergio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Sending a access reject packets
From: Fastbyte Sent: Sunday, 7 September 2003 12:44 AM how can i send a access reject packet or another possibility to disconnect user without using radius? Lets say with php, wher can i find some example or tip, also in other programming languages? If you're talking about disconnecting currently-online users, that's not a RADIUS thing, really. There _was_ a draft method of telling a NAS to disconnect a user that uses the RADIUS protocol, but it's not supported by FreeRADIUS directly, you'd have to build the request and use radclient to send it to the NAS. In short, it's NAS-specific, and outside RADIUS's area. The answers will be in the documentation for your NAS. -- = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending a access reject packets
Hi Paul, thanx for a quick answer, but my problem is a NAS because I´m using Belkin F5D7130-4 and I have seen that this ap doesn´t do accounting. So my idea was to parse log file and then automaticly generate a radius auth-reject. But with this answer I´m really out of any fresh ideas... Can you give some more pointers? Sergio Paul Hampson wrote: From: Fastbyte Sent: Sunday, 7 September 2003 12:44 AM how can i send a access reject packet or another possibility to disconnect user without using radius? Lets say with php, wher can i find some example or tip, also in other programming languages? If you're talking about disconnecting currently-online users, that's not a RADIUS thing, really. There _was_ a draft method of telling a NAS to disconnect a user that uses the RADIUS protocol, but it's not supported by FreeRADIUS directly, you'd have to build the request and use radclient to send it to the NAS. In short, it's NAS-specific, and outside RADIUS's area. The answers will be in the documentation for your NAS. -- = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Sending a access reject packets
From: Fastbyte Sent: Sunday, 7 September 2003 1:57 AM thanx for a quick answer, but my problem is a NAS because I´m using Belkin F5D7130-4 and I have seen that this ap doesn´t do accounting. So my idea was to parse log file and then automaticly generate a radius auth-reject. But with this answer I´m really out of any fresh ideas... Can you give some more pointers? A quick read of the Belkin website suggests that it's not possible. In fact, RADIUS isn't actually mentioned at all in the product brief or another review I read. The review mentioned a complete lack of monitoring features for the device, so the best I can say is this device is apparently ill-suited to any environment where you care more than These MACs are allowed, these are disallowed. -- = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending a access reject packets
Thanx, then I must switch to Linksys or D-Link I want to stay with radius eap/ttl-eap-md5 but the choice of low-cost ap is very very small. Paul Hampson wrote: From: Fastbyte Sent: Sunday, 7 September 2003 1:57 AM thanx for a quick answer, but my problem is a NAS because I´m using Belkin F5D7130-4 and I have seen that this ap doesn´t do accounting. So my idea was to parse log file and then automaticly generate a radius auth-reject. But with this answer I´m really out of any fresh ideas... Can you give some more pointers? A quick read of the Belkin website suggests that it's not possible. In fact, RADIUS isn't actually mentioned at all in the product brief or another review I read. The review mentioned a complete lack of monitoring features for the device, so the best I can say is this device is apparently ill-suited to any environment where you care more than These MACs are allowed, these are disallowed. -- = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access-Reject problem.
hi ! I use freeradius 0.8.1. i've configured freeradius with a reject_delay of one second. I send an acces-request for a bad user with ntradping. (time-out 15sec, only one attempt ) with ethereal, I get : time 0 : source 10.0.9.192 access request id 7 and nothing else... if I send another access-request : time 20 : source 10.0.9.192 access request id 8 time 20 : source 10.0.9.192 access reject id 7 the access-reject corresponding with the 1st access request is sent ... weird isn't it ? is there something I missed ? here's the log : rad_recv: Access-Request packet from host 10.0.9.192:61007, id=7, length=44 Thread 5 assigned request 45 --- Walking the entire request list --- Threads: total/active/spare threads = 5/1/4 Nothing to do. Sleeping until we see a request. Thread 5 handling request 45, (8 handled so far) User-Name = toto User-Password = titi modcall: entering group authorize radius_xlat: 'toto' rlm_sql (SQL1): sql_set_user escaped user -- 'toto' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'toto' ORDER BY id' rlm_sql (/usr/local/var/log/radius/sqltrace.sql): Reserving sql socket id: 0 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'toto' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'toto' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'toto' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'toto' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'toto' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'toto' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'toto' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (SQL1): Pairs do not match for user [toto] rlm_sql (/usr/local/var/log/radius/sqltrace.sql): Released sql socket id: 0 modcall[authorize]: module SQL1 returns notfound modcall[authorize]: module mschap returns notfound modcall: group authorize returns notfound auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 45 for 1 seconds Finished request 45 Going to the next request Thread 5 waiting to be assigned a request rad_recv: Access-Request packet from host 10.0.9.192:61008, id=8, length=44 Thread 1 assigned request 46 --- Walking the entire request list --- Sending Access-Reject of id 7 to 10.0.9.192:61007 Cleaning up request 45 ID 7 with timestamp 3ef30d3c Nothing to do. Sleeping until we see a request. Thread 1 handling request 46, (9 handled so far) User-Name = toto User-Password = titi modcall: entering group authorize radius_xlat: 'toto' rlm_sql (SQL1): sql_set_user escaped user -- 'toto' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'toto' ORDER BY id' rlm_sql (/usr/local/var/log/radius/sqltrace.sql): Reserving sql socket id: 0 rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'toto' ORDER BY id radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'toto' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'toto' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'toto' ORDER BY id' rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'toto' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'toto' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: query: SELECT radgroupreply.id
Re: Returning Proxy-State (or anything else) in Access-Reject situations.
Chris A. Kalin [EMAIL PROTECTED] wrote: OK, I'm dealing with a UUNet reseller who apparently requires me to return the Proxy-State attribute he sends me in either an Access-Accept or Access-Reject situation. The Proxy-State attribute is returned just fine when the username and password works correctly (Access-Accept). However, when the password is not correct for the username (Access-Reject), then _nothing_ beyond the Access-Reject is returned. Not a Proxy-State, nothing. Did I miss something to make this happen or is UUNet asking for something unreasonable? If a Proxy-State is in a request packet, it MUST be returned in all reply packets for that request. On a similar note, I've noticed that when I want to send a Reply-Message in an Access-Reject situation, the RADIUS server won't send it back, just like the above situation. Hmm... I'm seeing it being sent back in my local tests. UUNet won't play ball with me unless I can either prove to them that they're wrong (aka they don't really need me to do this) or I can send them back a Proxy-State response no matter what. Can anyone help me out with this? The server SHOULD send back Proxy-State in reject messages. If it's not, then there's a bug. Testing it in debugging mode should let you see quickly if the Proxy-State is being sent back. As an aside, I'm noticing an unbelievably long time before my postings hit the list, and every so often I'll see an old post of mine end up back on the list. I know my mail server isn't re-sending them, is something going on with the list server? The list server was sitting on email for a week or so. It looks like it's now been fixed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Returning Proxy-State (or anything else) in Access-Reject situations.
Yup, that's what I've done for now, and it works perfectly. Thanks everyone! Chris Kalin - Original Message - From: Franklin Trumpy [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, May 05, 2002 11:49 AM Subject: Re: Returning Proxy-State (or anything else) in Access-Reject situations. I was in the exact same situation, both with FreeRADIUS and with an outside reseller. In radiusd.conf, under security {}, set reject_delay = 0, and you should find your problems solved. I think this was discussed as a bug on the list sometime last year. Franklin On Sun, 5 May 2002, Chris A. Kalin wrote: OK, I'm dealing with a UUNet reseller who apparently requires me to return the Proxy-State attribute he sends me in either an Access-Accept or Access-Reject situation. The Proxy-State attribute is returned just fine when the username and password works correctly (Access-Accept). However, when the password is not correct for the username (Access-Reject), then _nothing_ beyond the Access-Reject is returned. Not a Proxy-State, nothing. Did I miss something to make this happen or is UUNet asking for something unreasonable? On a similar note, I've noticed that when I want to send a Reply-Message in an Access-Reject situation, the RADIUS server won't send it back, just like the above situation. -- Franklin Trumpy, NFA, MNGS, GSc | Say not, I have found the truth, UNIX Systems Administrator | but rather, I have found a truth. Lighthouse Communications | [EMAIL PROTECTED] | Say not, I have found the path of the soul. (515)244-1115 | Say rather, I have met the soul walking (888)953-3278 | upon my path. http://www.lh.net | | -Kahlil Gibran, _The Prophet_, 1923 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject proxied without Reply-Message
On Thu, Mar 28, 2002 at 11:56:32PM -0500, Alan DeKok wrote: Fduch the Pravking [EMAIL PROTECTED] wrote: We have freeradius-0.5 doing only proxy. And the problem is: when radius receives Access-Reject packet from remote server, it proxies it back to the NAS without any attributes, Reply-Message in particular. Read the RFC's. That's how RADIUS is *supposed* to work. I've found nothing in RFC 2865 about any restrictions for Access-Reject but this: If any condition is not met, the RADIUS server sends an Access- Reject response indicating that this user request is invalid. If desired, the server MAY include a text message in the Access-Reject which MAY be displayed by the client to the user. No other Attributes (except Proxy-State) are permitted in an Access-Reject. So, Reply-Message MAY be present in Access-Reject, and it is PRESENT in the packet from remote server, but is not being sent back to NAS by this proxy radius. Correct me if I wrong, please. Here is a bug, I think, and it comes from delaying the Access-Reject: On Thu, Mar 28, 2002 at 09:42:48AM -0600, Chris Parker wrote: At 06:18 PM 3/28/2002 +0300, Fduch the Pravking wrote: And what does Delaying request 91752 for 1 seconds mean? It's a throttling feature. Some radius clients can cause what amounts to a DOS by repeatedly requesting authentication for failed users. IE, user gets rejected, nas sends another request, user gets rejected, nas sends another request. This was for a PPPoE/DSL authetication, so it was instantaneous. A configurable delay before sending the Reject back to the NAS allows the server to effectively throttle the rate at which that type of NAS can hammer it with requests. If you set it to zero, it disables the delay all-together. This is in the 'security' section of the 'radiusd.conf' file. Sorry, Chris, I'm slightly blind :) When I set reject_delay = 0 in the security section of radiusd.conf, the same Access-Request packet shows the following: % radtest sltest bad_passwd localhost:1645 3 testing123 Sending Access-Request of id 68 to 127.0.0.1:1645 User-Name = sltest User-Password = U\356~\271\354X\213bcV\301\032/V\\ NAS-IP-Address = dyatel.antar.bryansk.ru NAS-Port-Id = 3 rad_recv: Access-Reject packet from host 127.0.0.1:1645, id=68, length=46 Reply-Message = Authentication failure\r\n So, if the reject_delay = 0, radius sends the Reply-Message in Access-Reject back to the NAS, and if reject_delay = 1, does not. Or, maybe it's a feature? Thanks for your comments. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject proxied without Reply-Message
On Thu, Mar 28, 2002 at 09:42:48AM -0600, Chris Parker wrote: At 06:18 PM 3/28/2002 +0300, Fduch the Pravking wrote: By the way, how can I say Any number of such attribute for rlm_attr_filter? It should already do that. It doesn't track state, so if you permit 'Ascend-Data-Filter ~= .*' then it will allow through all attributes that match that rule. It doesn't do that. raddb/attrs: DEFAULT Service-Type == Framed-User, Service-Type == Login-User, Login-Service == Telnet, Login-Service == Rlogin, Login-Service == TCP-Clear, Login-TCP-Port = 65536, Framed-IP-Address =~ .*, Framed-IP-Netmask == 255.255.255.255, Framed-Protocol == PPP, Framed-Protocol == SLIP, Framed-Compression == Van-Jacobson-TCP-IP, Framed-MTU = 576, Framed-Filter-ID =~ .*, Reply-Message =~ .*, Session-Timeout = 28800, Idle-Timeout = 600, Port-Limit = 2, Cisco-AVPair =~ .*, Fall-Through = Yes And here are logs: rad_recv: Access-Request packet from host client:2893, id=244, length=64 Thread 1 assigned request 35 --- Walking the entire request list --- Waking up in 4 seconds... Thread 1 handling request 35, (5 handled so far) User-Name = stricted-user@realm User-Password = crypted password NAS-IP-Address = NAS NAS-Port-Id = 3 modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module attr_filter returns noop modcall[authorize]: module files returns notfound rlm_realm: Proxying request from user register to realm realm modcall[authorize]: module suffix returns updated modcall: group authorize returns updated Sending Access-Request of id 13 to remote server User-Name = stricted-user@realm User-Password = crypted-password NAS-IP-Address = NAS NAS-Port-Id = 3 Proxy-State = 244 Thread 1 waiting to be assigned a request rad_recv: Access-Accept packet from host remote server, id=13, length=1241 Thread 2 assigned request 35 Waking up in 4 seconds... Thread 2 handling request 35, (5 handled so far) User-Name = stricted-user@realm User-Password = crypted password NAS-IP-Address = NAS Proxy-State = 0x323434 NAS-Identifier = NAS id Service-Type = Framed-User Framed-Protocol = PPP Cisco-AVPair = ip:inacl#1=permit udp... Cisco-AVPair = ip:inacl#2=permit udp... Cisco-AVPair = ip:inacl#3=permit udp... Cisco-AVPair = ip:inacl#4=permit udp... Cisco-AVPair = ip:inacl#5=permit udp... Cisco-AVPair = ip:inacl#6=permit udp... Cisco-AVPair = ip:inacl#7=permit udp... Cisco-AVPair = ip:inacl#8=permit tcp... Cisco-AVPair = ip:inacl#9=permit tcp... Cisco-AVPair = ip:inacl#10=deny ip any any Cisco-AVPair = ip:outacl#1=permit udp... Cisco-AVPair = ip:outacl#2=permit udp... Cisco-AVPair = ip:outacl#3=permit udp... Cisco-AVPair = ip:outacl#4=permit udp... Cisco-AVPair = ip:outacl#5=permit udp... Cisco-AVPair = ip:outacl#6=permit udp... Cisco-AVPair = ip:outacl#7=permit udp... Cisco-AVPair = ip:outacl#8=permit tcp... Cisco-AVPair = ip:outacl#9=permit tcp... Cisco-AVPair = ip:outacl#10=deny ip any any modcall: entering group authorize modcall[authorize]: module preprocess returns ok attr_filter: Matched entry DEFAULT at line 84 modcall[authorize]: module attr_filter returns updated modcall[authorize]: module files returns notfound modcall[authorize]: module suffix returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Login OK: [stricted-user@realm] (from nas client port 0) Sending Access-Accept of id 244 to client:2893 Service-Type = Framed-User Framed-Protocol = PPP Cisco-AVPair = ip:inacl#1=permit udp... Finished request 35 Going to the next request So, only the first Cisco-AVPair attribute is sent back to the NAS. The only way I see is to add as many 'Cisco-AVPair =~ .*' lines to raddb/attrs as it seems to be possible :( Any comments or suggestions? -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject proxied without Reply-Message
Fduch the Pravking [EMAIL PROTECTED] wrote: So, if the reject_delay = 0, radius sends the Reply-Message in Access-Reject back to the NAS, and if reject_delay = 1, does not. That's a bug. I would think that rad_respond(), in src/main/radiusd.c is to blame. It shouldn't clean up request-reply-vps if request-reply-data is NULL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject proxied without Reply-Message
Fduch the Pravking [EMAIL PROTECTED] wrote: We have freeradius-0.5 doing only proxy. And the problem is: when radius receives Access-Reject packet from remote server, it proxies it back to the NAS without any attributes, Reply-Message in particular. Read the RFC's. That's how RADIUS is *supposed* to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Reject response for Authentication Request is very slow on Freeradius 0.5
Sagara Wijetunga [EMAIL PROTECTED] wrote: I have observed with freeradius-0.5 that Access-Accept response takes about 17 milliseconds and Access-Reject response takes about 3500 milliseconds. This type of long delay for Access-Reject response was not experienced with freeradius-0.4. Please read the 'radiusd.conf' file distributed with 0.5. It includes new security features which help to prevent an attack from disabling the server. The main side effect is that by default, authentication rejects are delayed for a configurable amount. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access Reject response for Authentication Request is very slow on Freeradius 0.5
I use Intel Pentium III based PC servers, Red Hat Linux 7.2, Linux Kernel: 2.4.7-10custom, Portslave 2002-01-19, Freeradius 0.5 and MySQL 3.23.41. My modem is 3Com US Robotics 56K Faxmodem. I do not use any NAS or Digital RAS card. I have observed with freeradius-0.5 that Access-Accept response takes about 17 milliseconds and Access-Reject response takes about 3500 milliseconds. This type of long delay for Access-Reject response was not experienced with freeradius-0.4. _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Reject response for Authentication Request is very slow on Freeradius 0.5
At 12:34 AM 3/20/2002 +0600, Sagara Wijetunga wrote: I use Intel Pentium III based PC servers, Red Hat Linux 7.2, Linux Kernel: 2.4.7-10custom, Portslave 2002-01-19, Freeradius 0.5 and MySQL 3.23.41. My modem is 3Com US Robotics 56K Faxmodem. I do not use any NAS or Digital RAS card. I have observed with freeradius-0.5 that Access-Accept response takes about 17 milliseconds and Access-Reject response takes about 3500 milliseconds. This type of long delay for Access-Reject response was not experienced with freeradius-0.4. See the response just posted to this list earlier today. FreeRADIUS 0.5 has a new configurable time delay to sent rejects, to prevent runaway NAS from flooding the server with rejects. You can modify ( or completely disable ) this delay. -Chris -- \\\|||/// \ StarNet Inc. \Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access Reject
Hello I would like to send an Access reject packet to NAS when the User-Name and User-Password fields match (successfull auth.) I want to do that with DB, but I don't know what and where I have to put. Could anybody tell me? I tryed put to radgroupreply: mygroup | Auth-Type | Reject But it still returns Access accept and the sw in the NAS requires Access reject. Thanks, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Reject
On Thu, 7 Feb 2002, Alan DeKok wrote: Thomas Jalsovsky [EMAIL PROTECTED] wrote: I would like to send an Access reject packet to NAS when the User-Name and User-Password fields match (successfull auth.) Hmm... the server isn't really set up to do that now. But it still returns Access accept and the sw in the NAS requires Access reject. Why does the NAS require and access reject when the username and password are OK? Alan DeKok. The sw in the NAS does: does ISDN preauthentication - AAA with phone number,reject if the auth. failed, it means, the use can continue, the ISDN line should be picked up. If not, the ISDN disconnect will applied (it is important for toll free - 800 - numbers). If the poneno,reject isn't in the database, the user can continue, the script tries authentication by the phone number in way: AAA phone number,accept if auth is successful, auth is done; if not account and pin are asked from the user Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html