Be careful doing this - as NASes may assume the RADIUS server has failed. There may be a solution to your problem where you let the CPE connect, but add filters to block traffic / put them in to a VRF which doesn’t let them do anything.
On 4/04/2022, at 7:36 PM, Nick Porter <nick@portercomputing.co.uk> wrote:
Hi Nicolas
Instead of "return", you can use the policy "do_not_respond" which instructs FreeRADIUS not to respond to the request.
This sets &reply:Packet-Type to Do-Not-Respond - which if you find things are still being logged, you can test for to avoid the logging.
Nick
On 04/04/2022 07:39, Nicolas Breuer wrote:
Hello,
We are flooded by a wrong CPE configuration. Is there a way if the realm is not configured in proxy.conf to discard the packet silently and discard the log in the radius.log ? I tried to return if “noop” but logging is still there 😊 Disable the logging for auth_reject is not an option 😊
authorize {
# The preprocess module takes care of sanitizing some bizarre # attributes in the request, and turning them into attributes # which are more standard. # # It takes care of processing the 'raddb/mods-config/preprocess/hints' # and the 'raddb/mods-config/preprocess/huntgroups' files. preprocess
# # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set chap
# # If the users are logging in with an MS-CHAP-Challenge # attribute for authentication, the mschap module will find # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' # to the request, which will cause the server to then use # the mschap module for authentication. mschap
# # Look for realms in user@domain format suffix
if (noop){ return } …….
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Nick Porter
Porter Computing Ltd Registered in England No 12659380
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html