Re: Auth-Type = Reject not being obeyed

[Matthew Melbourne]

I think Phil's diagnosis is correct; 'Auth-Type := Reject' requires the ':='
operator to reject a CHAP authentication.

Unfortunately, it's not always easy to place a live production system in
debug mode, hence the initial is this something stupid question :)

(And apologies for the lack of a subject line in the original post).

Cheers,
Matt 

-Original Message-
Date: Fri, 24 May 2013 17:31:29 +0100
From: Phil Mayers p.may...@imperial.ac.uk
To: freeradius-users@lists.freeradius.org
Subject: Re: Auth-Type = Reject not being obeyed
Message-ID: 519f95e1.6010...@imperial.ac.uk
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

On 24/05/13 17:19, Alan Buxey wrote:

 The only difference I can see is that the first example uses a 
 plain-text password, and the RADIUS on the LNS is using CHAP?

 The backend database has = in the 'op' field (and not :=), so the 
 returned attribute is Auth-Type = Reject and not Auth-Type := 
 Reject, but it is correctly rejected using radtest/radclient, and I 
 believe the = operand to be correct.

You might have this:

authorize {
   ...
   chap
   sql
   ...
}

..and Auth-Type is already set by chap, hence = doesn't overwrite it.

Anyway, you're not correct that = is the right operator; := means
force i.e. set this attribute to this value, always, and that's what you
want to do here, right? = means set if unset

As has also been pointed out - show radiusd -X for a problem auth (and set
a subject line...)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[no subject]

[Matthew Melbourne]

Hi,

I have an interesting scenario where a broadband user has
Auth-Type=Reject configured as an attribute in the back-end database
of FreeRADIUS, and this sppears to be working, as radtest and
radclient confirm (the Access-Reject packet is received):

[root@radius-one radius]# echo
User-Name=mmelbourne@realm,Password=mypassword,Framed-Protocol=PPP |
radclient -x -s 127.0.0.1 auth radius_secret
Sending Access-Request of id 45 to 127.0.0.1 port 1812
User-Name = mmelbourne@realm
Password = mypassword
Framed-Protocol = PPP
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=45, length=73
Reply-Message = Your account has been disabled, please call support

   Total approved auths:  0
 Total denied auths:  1
   Total lost auths:  0

However, on the NAS (LNS), a radius debug shows that the
authentication succeeds with an Access-Accept, even though the
account disabled Reply-Message is received:

May 23 14:12:28.076: RADIUS(00011A84): Send Access-Request to
213.x.x.x:1812 id 21793/12, len 107
May 23 14:12:28.076: RADIUS:  authenticator 70 A9 8C A5 A8 79 A8 61 -
4D F6 99 37 F7 63 FE A5
May 23 14:12:28.076: RADIUS:  Framed-Protocol [7]   6   PPP
   [1]
May 23 14:12:28.076: RADIUS:  User-Name   [1]   21  mmelbourne@realm
May 23 14:12:28.076: RADIUS:  CHAP-Password   [3]   19  *
May 23 14:12:28.076: RADIUS:  NAS-Port-Type   [61]  6   Virtual
   [5]
May 23 14:12:28.076: RADIUS:  NAS-Port[5]   6   826
May 23 14:12:28.076: RADIUS:  NAS-Port-Id [87]  17  Uniq-Sess-ID826
May 23 14:12:28.076: RADIUS:  Service-Type[6]   6   Framed
   [2]
May 23 14:12:28.076: RADIUS:  NAS-IP-Address  [4]   6   88.x.x.x
May 23 14:12:28.084: RADIUS: Received from id 21793/12 213.x.x.x:1812,
Access-Accept, len 157
May 23 14:12:28.084: RADIUS:  authenticator 79 6C DA EB 1A CC AD CA -
BB E3 C9 CE D1 C3 AC 47
May 23 14:12:28.084: RADIUS:  Reply-Message   [18]  53
May 23 14:12:28.084: RADIUS:   59 6F 75 72 20 61 63 63 6F 75 6E 74 20
68 61 73  [Your account has]
May 23 14:12:28.084: RADIUS:   20 62 65 65 6E 20 64 69 73 61 62 6C 65
64 2C 20  [ been disabled, ]
May 23 14:12:28.084: RADIUS:   70 6C 65 61 73 65 20 63 61 6C 6C 20 73
75 70 70  [please call supp]
May 23 14:12:28.084: RADIUS:   6F 72 74   [ ort]
May 23 14:12:28.084: RADIUS:  Framed-IP-Address   [8]   6   77.x.x.x
May 23 14:12:28.084: RADIUS:  Framed-IP-Netmask   [9]   6   255.255.255.255
May 23 14:12:28.084: RADIUS:  Framed-Protocol [7]   6   PPP
   [1]
May 23 14:12:28.084: RADIUS:  Service-Type[6]   6   Framed
   [2]
May 23 14:12:28.084: RADIUS:  Vendor, Cisco   [26]  54
May 23 14:12:28.084: RADIUS:   Cisco AVpair   [1]   48
ip:dns-servers=213.x.x.x 213.x.x.x
May 23 14:12:28.084: RADIUS:  Idle-Timeout[28]  6   28800


The only difference I can see is that the first example uses a
plain-text password, and the RADIUS on the LNS is using CHAP?

The backend database has = in the 'op' field (and not :=), so the
returned attribute is Auth-Type = Reject and not Auth-Type :=
Reject, but it is correctly rejected using radtest/radclient, and I
believe the = operand to be correct.

Has anyone seen anything similar; the NAS is a 7206VXR running
12.2(31)SB2 and the backend is FreeRADIUS 1.1?
--
Matthew Melbourne
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html