Missing NAS-Port in Access request with respect to RFC 2865

Thu Apr 3 11:04:10 CEST 2008

Hello Freeradius-users,

>From what I see in the mailing list archives several freeradius users
have historically run into trouble with Access-Request information sent
by NASes and particularly the lack of the NAS-Port attribute. I've run
into it quite often recently and was wondering if I may have found a way
to solve it. The workaround I currently employ is to configure
acct_users to let the access request from the NAS in question through
anyway but it's a workaround. If possible I'd like to find the *correct*
solution....  :-)

The RFC 2865 http://www.freeradius.org/rfc/rfc2865.html#NAS-Port states
that:

  "Either NAS-Port or NAS-Port-Type (61) or both SHOULD
      be present in an Access-Request
<http://www.freeradius.org/rfc/rfc2865.html#Access-Request>  packet, if
the NAS differentiates
      among its ports."

>From what I understand the current Freeradius code interprets the RFC
statement so that if the NAS-Port attribute is not sent then the access
request is not processed and subsequently denied (in rlm_radutmp.c -
line 404).

     if (!port_seen) {

However; shouldn't the statement from the RFC be intertpreted such that
if *neither* the NAS-Port or the NAS-Port-Type is set then the access
request should not be processed and subsequently denied? I'm thinking
something along the lines of changing line 404 of rlm_radutmp.c to:

   if (!port_seen && !nas_port_type) {

I'll apologise in advance if my all too rusty programming skills are
making me misunderstand the situation entirely...

Best Regards,

Johannes Ramm-Ericson
----------------------------------------------------------- 

The information in this e-mail, and attachment(s) thereto, is strictly
confidential and may be legally privileged. It is intended solely for
the named recipient(s), and access to this e-mail, or any attachment(s)
thereto, by anyone else is unauthorized. Violations hereof may result in
legal actions. Any attachment(s) to this e-mail has been checked for
viruses, but please rely on your own virus-checker and procedures. If
you contact us by e-mail, we will store your name and address to
facilitate communications in the matter concerned. If you do not consent
to us storing your name and address for above stated purpose, please
notify the sender promptly. Also, if you are not the intended recipient
please inform the sender by replying to this transmission, and delete
the e-mail, its attachment(s), and any copies of it without, disclosing
it.