Hello, I'm testing the case of an Access-Request proxied to a home server which does not respond. I expect to see my request go through : - authorize - pre-proxy (no response from proxy) - Post-Proxy-Type Fail And client gets no response (or possibly an Access-Reject). This is what happened in 3.0.1, but it seems it has changed in 3.0.2, now I have: - authorize - pre-proxy (no response from proxy) And then the weird part: - authorize (again) - post-auth Then an Access-Accept is sent back to the client. Which it can't use, because there's nothing useful inside. Is this a bug, or a configuration issue ? Here is my site configuration (stripped down to a minimal setup to reproduce the issue): SRS_3gpp_fictive_realm = 3gpp.orange.fr server server-owa-eap { listen { ipaddr = * type = auth port = 1812 } listen { ipaddr = * port = 1813 type = acct } authorize { # Handle EAP/SIM Authentication request if (EAP-Message) { update control { Proxy-To-Realm := ${SRS_3gpp_fictive_realm} } } } # end of authorize section post-auth { # an Access-Reject goes through post-auth REJECT subsection. # In the current section we are handling Accept and Challenge responses Post-Auth-Type REJECT { attr_filter.access_reject } } # end of post-auth section pre-proxy { } post-proxy { Post-Proxy-Type Fail { update control { Auth-Type := Reject } } } # end of post-proxy section } # end of server-owa-eap virtual server configuration. And here is the debug output: rad_recv: Access-Request packet from host 10.67.106.9 port 49191, id=219, length=65 User-Name = 'test-cui@SIM.orange.fr' EAP-Message = 0x78 Message-Authenticator = 0x487abb36d8a3ae1555680419160778c7 (0) # Executing section authorize from file /opt/application/mwpsrs/current/etc/raddb/sites-enabled/server-owa-eap (0) authorize { (0) if (EAP-Message) (0) if (EAP-Message) -> TRUE (0) if (EAP-Message) { (0) update control { (0) Proxy-To-Realm := '3gpp.orange.fr' (0) } # update control = noop (0) } # if (EAP-Message) = noop (0) } # authorize = noop (0) Proxying request to home server 10.67.141.66 port 61822 Sending Access-Request of id 221 from 0.0.0.0 port 63870 to 10.67.141.66 port 61822 User-Name = 'test-cui@SIM.orange.fr' EAP-Message = 0x78 Message-Authenticator = 0x487abb36d8a3ae1555680419160778c7 Proxy-State = 0x323139 Waking up in 0.3 seconds. Waking up in 0.4 seconds. (0) Expecting proxy response no later than 10 seconds from now Waking up in 9.1 seconds. (0) No proxy response, giving up on request and marking it done Marking home server 10.67.141.66 port 61822 as zombie (it has not responded in 10 seconds). (0) ERROR: Failing request - proxy ID 221, due to lack of any response from home server 10.67.141.66 port 61822 (0) # Executing section authorize from file /opt/application/mwpsrs/current/etc/raddb/sites-enabled/server-owa-eap (0) authorize { (0) if (EAP-Message) (0) if (EAP-Message) -> TRUE (0) if (EAP-Message) { (0) update control { (0) Proxy-To-Realm := '3gpp.orange.fr' (0) } # update control = noop (0) } # if (EAP-Message) = noop (0) } # authorize = noop (0) Auth-Type = Accept, accepting the user (0) # Executing section post-auth from file /opt/application/mwpsrs/current/etc/raddb/sites-enabled/server-owa-eap Sending Access-Accept of id 219 from 10.67.106.9 port 1812 to 10.67.106.9 port 49191 (0) Finished request 0. Waking up in 0.3 seconds. Waking up in 3.6 seconds. No response to status check 1 for home server 10.67.141.66 port 61822 Waking up in 0.9 seconds. (0) Cleaning up request packet ID 219 with timestamp +5 Waking up in 15.8 seconds. This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.