Let FreeRADIUS ignore a request from rlm_perl
Hey there, I'm using FreeRADIUS Version 2.2.8 and am wondering whether it is possible to ignore a request (i.e. send no reply at all) inside a rlm_perl module. I tried returning either RLM_MODULE_NOOP, RLM_MODULE_INVALID, RLM_MODULE_FAIL, and RLM_MODULE_HANDLED (without setting any reply attributes) inside an authenticate function. Although, in the end, they all result in the server rejecting the request, which is not what I want. How can I achieve this? -- Harm
On 08-09-15 13:34, Harm van Tilborg wrote:
Hey there,
I'm using FreeRADIUS Version 2.2.8 and am wondering whether it is possible to ignore a request (i.e. send no reply at all) inside a rlm_perl module.
I tried returning either RLM_MODULE_NOOP, RLM_MODULE_INVALID, RLM_MODULE_FAIL, and RLM_MODULE_HANDLED (without setting any reply attributes) inside an authenticate function. Although, in the end, they all result in the server rejecting the request, which is not what I want.
Those are just the return values of the module. As to discarding packets: see the discussion at http://freeradius.1045715.n5.nabble.com/silently-drop-packet-access-request-... -- Herwin Weststrate
On Tue, Sep 8, 2015 at 1:59 PM, Herwin Weststrate <herwin@quarantainenet.nl> wrote:
On 08-09-15 13:34, Harm van Tilborg wrote:
Hey there,
I'm using FreeRADIUS Version 2.2.8 and am wondering whether it is possible to ignore a request (i.e. send no reply at all) inside a rlm_perl module.
I tried returning either RLM_MODULE_NOOP, RLM_MODULE_INVALID, RLM_MODULE_FAIL, and RLM_MODULE_HANDLED (without setting any reply attributes) inside an authenticate function. Although, in the end, they all result in the server rejecting the request, which is not what I want.
Those are just the return values of the module.
As to discarding packets: see the discussion at
http://freeradius.1045715.n5.nabble.com/silently-drop-packet-access-request-...
-- Herwin Weststrate - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Let me explain why I believe dropping packets is a valid use case. I'm implementing OTPs using SMS. I currently have two servers at two separate locations. Some of my RADIUS clients directly send an access request to both servers, instead of considering the primary server first and when no reply is received, considering the second. Because the servers don't synchronize state, in this particular case, the client would receive two SMS messages containing different OTPs. Therefore, I would like the secondary server to ignore the access request by dropping the access request. -- Harm
I'm using FreeRADIUS Version 2.2.8 and am wondering whether it is possible to ignore a request (i.e. send no reply at all) inside a rlm_perl module.
Let me explain why I believe dropping packets is a valid use case.
I'm implementing OTPs using SMS. I currently have two servers at two separate locations. Some of my RADIUS clients directly send an access request to both servers, instead of considering the primary server first and when no reply is received, considering the second. Because the servers don't synchronize state, in this particular case, the client would receive two SMS messages containing different OTPs.
Therefore, I would like the secondary server to ignore the access request by dropping the access request.
We use dropping packets for another scenario. We use FreeRADIUS for aaa for cisco switches (logging into SSH on them) instead of TacACS. The radius server authenticates against an LDAP server. Howerver, if LDAP is down, we still want to be able to login to the switches with a predefined admin password. The way cisco implemented this is, "if the radius server does not respond, us the local password". Thus, if the ldap module fails (not rejects), we want to ignore the packet instead of sending an access-reject. To achieve a "drop packet" you could use this configuration: Return RLM_MODULE_FAIL inside perl, And use this configuration inside the sites-enabled: redundant { perl do_not_respond } You can find do_not_respond in the policy.conf file. do_not_respond { update control { Response-Packet-Type := Do-Not-Respond } handled } However, you cannot do it directly from your perl module, you have to have some config in your sites-enabled to check and discard the packet. Kind regards Sander Eerdekens
On Wed, Sep 9, 2015 at 10:28 AM, Sander Eerdekens < sander.eerdekens@uzleuven.be> wrote:
I'm using FreeRADIUS Version 2.2.8 and am wondering whether it is possible to ignore a request (i.e. send no reply at all) inside a rlm_perl module.
Let me explain why I believe dropping packets is a valid use case.
I'm implementing OTPs using SMS. I currently have two servers at two separate locations. Some of my RADIUS clients directly send an access request to both servers, instead of considering the primary server first and when no reply is received, considering the second. Because the servers don't synchronize state, in this particular case, the client would receive two SMS messages containing different OTPs.
Therefore, I would like the secondary server to ignore the access request by dropping the access request.
We use dropping packets for another scenario. We use FreeRADIUS for aaa for cisco switches (logging into SSH on them) instead of TacACS. The radius server authenticates against an LDAP server.
Howerver, if LDAP is down, we still want to be able to login to the switches with a predefined admin password. The way cisco implemented this is, "if the radius server does not respond, us the local password". Thus, if the ldap module fails (not rejects), we want to ignore the packet instead of sending an access-reject.
To achieve a "drop packet" you could use this configuration: Return RLM_MODULE_FAIL inside perl, And use this configuration inside the sites-enabled:
redundant { perl do_not_respond }
You can find do_not_respond in the policy.conf file. do_not_respond { update control { Response-Packet-Type := Do-Not-Respond }
handled }
However, you cannot do it directly from your perl module, you have to have some config in your sites-enabled to check and discard the packet.
Kind regards Sander Eerdekens
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Sander! This put me on the right track. As a matter of fact, you can specify the response packet type directly in rlm_perl, by doing: $RAD_CHECK{'Response-Packet-Type'} = 'Do-Not-Respond'; return RLM_MODULE_HANDLED; This way, no configuration change is needed in the site configuration. -- Harm
On Sep 9, 2015, at 2:55 AM, Harm van Tilborg <harm@zeroxcool.net> wrote:
I'm implementing OTPs using SMS. I currently have two servers at two separate locations. Some of my RADIUS clients directly send an access request to both servers,
Such clients are broken and wrong. They should be thrown in the garbage, and replaced with working clients. If you got the clients from a third party vendor, the vendor should fix their software so that it isn't broken and wrong. Sending twice the packets is stupid. It leads to more fragile networks, and more problems. Alan DeKok.
participants (4)
-
Alan DeKok -
Harm van Tilborg -
Herwin Weststrate -
Sander Eerdekens