#596 confirmed fixed; small glitch remaining
Hi, I can confirm that today's GIT does what it's supposed to in terms of Access-Reject/Accept :-) There is still something strange (but probably unrelated) which I see in debug mode: (2) pap : Passwords don't match (2) [pap] = reject (2) } # Auth-Type PAP = reject (2) Failed to authenticate the user. (2) Using Post-Auth-Type Reject (2) WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Sending Access-Reject Id 38 from 127.0.0.1:1812 to 127.0.0.1:55939 (this happens both when proxy-to-vserver, or when just running through unproxied) I'm a bit worried about that - the dictionaries are auto-loaded, and they contain "Reject" as a value of Post-Auth-Type just fine. So why is this not found? And, more importantly, if my post-auth section has something to do inside Post-Auth-Type Reject: will these config items actually get executed? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
On 2 May 2014, at 09:17, Stefan Winter <stefan.winter@restena.lu> wrote:
Hi,
I can confirm that today's GIT does what it's supposed to in terms of Access-Reject/Accept :-)
There is still something strange (but probably unrelated) which I see in debug mode:
(2) pap : Passwords don't match (2) [pap] = reject (2) } # Auth-Type PAP = reject (2) Failed to authenticate the user. (2) Using Post-Auth-Type Reject (2) WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Sending Access-Reject Id 38 from 127.0.0.1:1812 to 127.0.0.1:55939
(this happens both when proxy-to-vserver, or when just running through unproxied)
I'm a bit worried about that - the dictionaries are auto-loaded, and they contain "Reject" as a value of Post-Auth-Type just fine.
Because you don't have a Reject section in Post-Auth?
So why is this not found?
And, more importantly, if my post-auth section has something to do inside Post-Auth-Type Reject: will these config items actually get executed?
They should do. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hi,
(2) WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Sending Access-Reject Id 38 from 127.0.0.1:1812 to 127.0.0.1:55939
(this happens both when proxy-to-vserver, or when just running through unproxied)
I'm a bit worried about that - the dictionaries are auto-loaded, and they contain "Reject" as a value of Post-Auth-Type just fine.
Because you don't have a Reject section in Post-Auth?
Whoa. I had no idea that this big fat WARNING message is about "nothing, really". "I've got nothing to do" really doesn't deserve a) being called a WARNING b) claiming "cannot perform requested action" - I didn't request any action at that spot, so not performing any action is exactly what I *want*. c) the value isn't unknown. It's known, just not present and called for in the config. Other places in the server are much more relaxed about this situation, like "section empty, using default". Can't the server be made to sound a little bit less alerted? ;-) Greetings, Stefan Winter
So why is this not found?
And, more importantly, if my post-auth section has something to do inside Post-Auth-Type Reject: will these config items actually get executed?
They should do.
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
On 2 May 2014, at 09:30, Stefan Winter <stefan.winter@restena.lu> wrote:
Hi,
(2) WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Sending Access-Reject Id 38 from 127.0.0.1:1812 to 127.0.0.1:55939
(this happens both when proxy-to-vserver, or when just running through unproxied)
I'm a bit worried about that - the dictionaries are auto-loaded, and they contain "Reject" as a value of Post-Auth-Type just fine.
Because you don't have a Reject section in Post-Auth?
Whoa. I had no idea that this big fat WARNING message is about "nothing, really".
"I've got nothing to do" really doesn't deserve a) being called a WARNING b) claiming "cannot perform requested action" - I didn't request any action at that spot, so not performing any action is exactly what I *want*.
Depends if you see the server core and the modules/policies as separate entities.
c) the value isn't unknown. It's known, just not present and called for in the config.
RDEBUG3("Appropriate %s sub-section not found. Cannot perform requested action.", section_type_value[comp].typename);
Other places in the server are much more relaxed about this situation, like "section empty, using default".
It used to actually, but the server was becalmed.
Can't the server be made to sound a little bit less alerted? ;-)
Oh, go on then. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Fri, May 02, 2014 at 09:58:20AM +0000, A.L.M.Buxey@lboro.ac.uk wrote:
Can't the server be made to sound a little bit less alerted? ;-)
- surely the default config should just be correct? :-)
Bit late in on the party here... The default config does actually contain a Post-Auth-Type REJECT section, so I'm guessing that part was commented out, which gave cause for the warning message. Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi,
- surely the default config should just be correct? :-)
Bit late in on the party here...
The default config does actually contain a Post-Auth-Type REJECT section, so I'm guessing that part was commented out, which gave cause for the warning message.
That's right. In my defense, I was told to create a *minimal* config that reproduces the problem - the Post-Auth-Type Reject was one of things that went. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
On 7 May 2014, at 06:38, Stefan Winter <stefan.winter@restena.lu> wrote:
Hi,
- surely the default config should just be correct? :-)
Bit late in on the party here...
The default config does actually contain a Post-Auth-Type REJECT section, so I'm guessing that part was commented out, which gave cause for the warning message.
That's right. In my defense, I was told to create a *minimal* config that reproduces the problem - the Post-Auth-Type Reject was one of things that went.
I hate inappropriate warnings, they make people fudge their configs just to get rid of them *grumble*. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Arran Cudbard-Bell -
Matthew Newton -
Stefan Winter