Missing NAS-Port in Access request with respect to RFC 2865
Ramm-Ericson, Johannes
Johannes.Ramm-Ericson at sonyericsson.com
Fri Apr 4 08:06:33 CEST 2008
Alan DeKok wrote:
>Ramm-Ericson, Johannes wrote:
>>>From what I understand the current Freeradius code interprets the RFC
>> statement so that if the NAS-Port attribute is not sent then the
access
>> request is not processed and subsequently denied (in rlm_radutmp.c -
>> line 404).
>
> No.
>
> The *radutmp* module requires the NAS port for it's proper operation.
> The *server* does not.
Fair enough, from my usage perspective the server and module are one
unit. They are however separate entities and I could have been more
explicit in my description.
> The request is *not* denied if there is no NAS-Port.
OK. However, access requests from that particular NAS are in effect not
processed the way I expect because of the lacking NAS-Port which still
leaves me with a problem I need to understand and fix.
The NAS admins on the other end refuse to forward the NAS-Port because
their experience with other Radius servers has never made the presence
of NAS-Port a requirement earlier. I suspect that the terminology of the
RFC actually confirms their point of view.
>> However; shouldn't the statement from the RFC be intertpreted such
that
>> if *neither* the NAS-Port or the NAS-Port-Type is set then the access
>> request should not be processed and subsequently denied?
>
> No. I have no idea why you think the request is being denied.
I apologise; I should rather have said that the request is not being
processed further as I am hoping it would.
>> I'm thinking
>> something along the lines of changing line 404 of rlm_radutmp.c to:
>>
>> if (!port_seen && !nas_port_type) {
>
> No. The radutmp module needs a NAS-Port to put into the radutmp data
> structure. The NAS-Port-Type attribute cannot be used for this
purpose.
OK. But what I was trying to say was that I think the if statement in
rlm_radutmp is not correctly interpreting the RFC. From my understanding
the RFC says that "either NAS-Port or NAS-Port-Type or both" must be
present. However:
if (!port_seen) {
looks to be saying that NAS-Port *must* always be present, which isn't
quite the same thing.
Just to clarify; I may very well be wrong about all this but I have a
workaround that I think is just that: a workaround, rather than a
correct solution. My hope is that either someone on the mailinglist can
explain why I'm getting it all wrong or that I actually have found a bug
and that it in that case hopefully can be squashed.
>> I'll apologise in advance if my all too rusty programming skills are
>> making me misunderstand the situation entirely...
>
> I think you're confusing "server" with "module".
Absolutely. I should have put more effort into explaining what I'm
thinking is wrong.
Cheers,
J.
More information about the Freeradius-Users
mailing list