RADIUS auth questions.

Mon, 16 May 2005 12:17:30 -0700 

Hi all

I have two questions relating to the above.

1) I notice that my server is responding to the client with the Cisco-AVPair
attributes even if the user's authentication fails due to an incorrect
password. Is this normal behaviour? For example, the client log shows:

--------------------16/05/2005 08:47:16 PM Test started
[2GB_test]-------------------------
Info:Sending Access-Request of id 0 to 192.168.0.10:1812
        User-Name = "[EMAIL PROTECTED]"
        User-Password = "badpass"
Info: Access-Reject packet from host 192.168.0.10:1812, id=0, length=86
        Cisco-AVPair = "ip:ip-unnumbered=Loopback50"
        Cisco-AVPair = "ip:addr-pool=ipnetpool1"
--------------------16/05/2005 08:47:18 PM Test finished
[2GB_test]-------------------------

As you can see, the server sends back the Cisco-AVPair information even
though the user's password is incorrect. Is this normal? If not, how do I go
about changing it?


2) In a situation where the password supplied by the client is correct, but
the attribute values associated with the request are incorrect, I notice
that the server responds with an Access-Accept, but updates the attribute
values. For example:

--------------------16/05/2005 08:55:10 PM Test started  [FreeRADIUS
test]-------------------------
Info:Sending Access-Request of id 0 to 192.168.0.10:1812
        Framed-Protocol = PPP
        Service-Type = Outbound-User
        User-Name = "[EMAIL PROTECTED]"
        User-Password = "testpass"
Info: Access-Accept packet from host 192.168.0.10:1812, id=0, length=98
        Framed-Protocol = PPP
        Service-Type = Framed-User
        Cisco-AVPair = "ip:ip-unnumbered=Loopback52"
        Cisco-AVPair = "ip:addr-pool=ipnetpool3"
--------------------16/05/2005 08:55:10 PM Test finished [FreeRADIUS
test]-------------------------

As you can see, the Access-Request was for "Outbound-User" access, which was
incorrect for this user's profile. Instead of rejecting it, the RADIUS
server accepted and just updated the Service-Type in the Access-Accept
packet. Again, is this normal behaviour? If not, how do I go about changing
it? 


Any help with the above would be much appreciated. Details of my system are
as follows:

Operating System: FreeBSD 5.4-STABLE 
FreeRADIUS package: freeradius-1.0.2_1
Database: mysql-server-4.1.11_1


Many thanks,

Justin















- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to