Thank you both for the great advice. It turns out it was incorrect proxy configuration in 8950. Sorted it out with a single line change in non-production, now the fun to get it deployed into production. On Mon, Dec 21, 2015 at 2:23 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 20, 2015, at 3:38 PM, Peter Lambrechtsen <peter@crypt.co.nz> wrote:
I'm working on an in-place rebuild of another radius product using 3.0.10 and noticed something very stupid that an upstream NAS is doing. It's going to be a major challenge to get the upstream NAS corrected.
It's sending Auth & Acct messages on 1646.
1646 has been deprecated for 15+ years. Using one port for auth and acct was *never* allowed.
Please name and shame the vendor. There is *no* reason in 2015 to have such non-compliant behaviour.
I tried setting the type to auth+acct in the sites-enabled/default listen section:
listen { ipaddr = * port = 1646 type = auth+acct # interface = eth0 # clients = per_socket_clients
Hm... that's allowed only for TCP sockets. It's parsed but ignored for UDP sockets. I suppose that should be fixed.
But if I receive an accounting message on that port, it gets rejected:
Yes.
If I swap it back to acct then the Auth messages get rejected.
Yes.
Any ideas on how to sort this?
Honestly, patch auth_socket_recv() to allow both Access-Request and Accounting-Request packets. Nothing else in the code will care. That should be ~15 lines or so.
We disallow it because it's wrong, and we want to discourage bad behaviour.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html