On Dec 20, 2015, at 3:38 PM, Peter Lambrechtsen <peter@crypt.co.nz> wrote:
I'm working on an in-place rebuild of another radius product using 3.0.10 and noticed something very stupid that an upstream NAS is doing. It's going to be a major challenge to get the upstream NAS corrected.
It's sending Auth & Acct messages on 1646.
1646 has been deprecated for 15+ years. Using one port for auth and acct was *never* allowed. Please name and shame the vendor. There is *no* reason in 2015 to have such non-compliant behaviour.
I tried setting the type to auth+acct in the sites-enabled/default listen section:
listen { ipaddr = * port = 1646 type = auth+acct # interface = eth0 # clients = per_socket_clients
Hm... that's allowed only for TCP sockets. It's parsed but ignored for UDP sockets. I suppose that should be fixed.
But if I receive an accounting message on that port, it gets rejected:
Yes.
If I swap it back to acct then the Auth messages get rejected.
Yes.
Any ideas on how to sort this?
Honestly, patch auth_socket_recv() to allow both Access-Request and Accounting-Request packets. Nothing else in the code will care. That should be ~15 lines or so. We disallow it because it's wrong, and we want to discourage bad behaviour. Alan DeKok.