Sending a disconnect message when replying with an access reject.

Peter Lambrechtsen peter at crypt.co.nz
Thu Apr 18 22:48:07 CEST 2013


On Thu, Apr 18, 2013 at 11:35 PM, Matthew Newton <mcn4 at leicester.ac.uk> wrote:
> On Thu, Apr 18, 2013 at 05:52:16PM +1200, Peter Lambrechtsen wrote:
>> When I setup the post-auth policy to send a update disconnect it works fine
>> if the response is an access accept. But if I update the control to access
>> reject the disconnect module gives me a noop.
>
> As a guess:
>
> The Post-Auth-Type REJECT section in the inner-tunnel is never
> called. This is fixed in v2.x.x HEAD and master.
>
> Post-Auth-Type REJECT in the outer tunnel is fine.
>
> This might be your problem.

Under the authorize section I have:

                if (ADSL-Agent-Remote-Id !~ /COMP/ )  {
                        update disconnect {
                                Acct-Session-Id = "7444"
                        }
#                        update control {
#                                Auth-Type := Reject
#                       }
                }

This was just for testing to see if I could send a Disconnect from
within the Authorize section.

In the trace I see:

+++? if (ADSL-Agent-Remote-Id !~ "xxx" ) -> TRUE
+++- entering if (ADSL-Agent-Remote-Id !~ "xxx" ) {...}
++++[disconnect] returns ok

Then at the end of the log I see:

Sending Access-Accept of id 161 to 172.25.1.1 port 62037
        ERX-Virtual-Router-Name = "default:voiplm1"
  WARNING: Empty pre-proxy section.  Using default return values.
Sending Disconnect-Request of id 206 to 172.25.1.1 port 3799
        Acct-Session-Id = "7444"
Finished request 3.
Going to the next request
Waking up in 1.2 seconds.
rad_recv: Disconnect-NAK packet from host 172.25.1.1 port 3799,
id=206, length=20
# Executing section post-proxy from file /etc/raddb/sites-enabled/default
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 3 ID 161 with timestamp +163

So in this case I see I get a NAK back (since I sent the wrong session ID).

Whereas if I have the Auth-Type := Reject then that rejects the
current packet, but I expected the Disconnect to still go through, but
this is what I see:

+++? if (ADSL-Agent-Remote-Id !~ "xxx" ) -> TRUE
+++- entering if (ADSL-Agent-Remote-Id !~ "xxx" ) {...}
++++[control] returns ok
++++[disconnect] returns ok
++++- entering policy do_not_respond {...}
+++++[control] returns ok
+++++[handled] returns handled
++++- policy do_not_respond returns handled
+++- if (ADSL-Agent-Remote-Id !~ "xxx" ) returns handled

Whereas all I send back is:

Sending Access-Reject of id 165 to 172.25.1.1 port 62037
        ERX-Virtual-Router-Name = "default:voiplm1"
Waking up in 4.9 seconds.

The Disconnect never get sent.

I even tried adding it into post-auth as well under the Post-Auth-Type REJECT:

        Post-Auth-Type REJECT {
                update disconnect {
                                Acct-Session-Id = "7444"
                        }
        }

And the module returns a noop:

Auth-Type = Reject, rejecting user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
++[disconnect] returns noop
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 186 to 172.25.1.1 port 62037
        ERX-Virtual-Router-Name = "default:voiplm1"
Waking up in 4.9 seconds.

Any ideas?

Cheers

Peter


More information about the Freeradius-Users mailing list