access reject problem

[Brian Candler]

On 13/01/2017 07:18, Greg Antic wrote:
> The user account has been disabled and the auth-type set as per radcheck output below. The logs show rejected for many hours and all of a sudden it will start a session however the postauth table shows it was rejected. It's almost like freeradius gets tired of saying no and eventually gives in and says yes.

Firstly, do you have a log which shows that FreeRADIUS actually returned 
Access-Accept? Turning on auth detail logging may help here - or better, 
capture all the radius traffic with tcpdump.

If FreeRADIUS returned Access-Reject (which apparently the logs say), 
but the NAS allowed a session to start, then clearly the NAS is at 
fault.  I'd want tcpdump evidence to be sure it's that.

The alternative explanation is that FreeRADIUS is occasionally returning 
Access-Accept instead of Access-Reject, and again tcpdump will show you 
if that's the case.

If so, you might want to check how you've configured the database 
query.  If there is a temporary failure to retrieve the mysql query 
results, you want FreeRADIUS to reject, not to continue as if there was 
a successful query with no results.

In particular:

- are you using configurable failover between multiple databases?

- if so, have you ensured that if all sources are unavailable, the 
default is to reject?

It might be useful if you could simulate a mysql query error, for 
example by sending a bad SQL query or by shutting down the database, and 
seeing what happens in those circumstances.

But it seems rather odd, because your radcheck table contains the 
Cleartext-Password as well as the Auth-Type; so for a successful auth I 
would have thought at least the Cleartext-Password was being retrieved 
successfully.  This makes it seem unlikely that the database query is 
the problem.

Regards,

Brian.