3.0.10 and auth+acct type under the listen section

Alan DeKok aland at deployingradius.com
Mon Dec 21 02:23:40 CET 2015


On Dec 20, 2015, at 3:38 PM, Peter Lambrechtsen <peter at crypt.co.nz> wrote:
> I'm working on an in-place rebuild of another radius product using 3.0.10
> and noticed something very stupid that an upstream NAS is doing. It's going
> to be a major challenge to get the upstream NAS corrected.
> 
> It's sending Auth & Acct messages on 1646.

  1646 has been deprecated for 15+ years.  Using one port for auth and acct was *never* allowed.

  Please name and shame the vendor.  There is *no* reason in 2015 to have such non-compliant behaviour.

> I tried setting the type to auth+acct in the sites-enabled/default listen
> section:
> 
> listen {
>        ipaddr = *
>        port = 1646
>        type = auth+acct
> #       interface = eth0
> #       clients = per_socket_clients

  Hm... that's allowed only for TCP sockets.  It's parsed but ignored for UDP sockets.  I suppose that should be fixed.

> But if I receive an accounting message on that port, it gets rejected:

  Yes.

> If I swap it back to acct then the Auth messages get rejected.

  Yes.

> Any ideas on how to sort this?

  Honestly, patch auth_socket_recv() to allow both Access-Request and Accounting-Request packets.  Nothing else in the code will care.  That should be ~15 lines or so.

  We disallow it because it's wrong, and we want to discourage bad behaviour.

  Alan DeKok.




More information about the Freeradius-Users mailing list