Auth-Type = Reject not 'working'
hi, the recent post mentioning Auth-Type = System reminded me.... if I've got a Auth-Type = Reject int he users file, then when making a request with a remote RADIUS client, then the request times out when freeradius is running as a normal process daemon... on Fedora, this is running as a service with the '-y' option... however, this timeout is variable..and sometimes...just sometimes it works. however, when running freeradius is debug mode, with -X, the Reject reply message is pretty fast...though still a lot slower than an Access-Accept message for a valid user - even though the valid user is in a database or a kerberos check. I assumed that a Auth-Type := Reject was an instant hit, with no further procedures... why then, when run in debug mode, does FreeRADIUS happily reject the client request but when run as a normal process, it throws the request towards other Auth mechanisms? alan
A.L.M.Buxey@lboro.ac.uk wrote:
however, when running freeradius is debug mode, with -X, the Reject reply message is pretty fast...though still a lot slower than an Access-Accept message for a valid user - even though the valid user is in a database or a kerberos check. I assumed that a Auth-Type := Reject was an instant hit, with no further procedures... why then, when run
security { # delayed_reject: When sending an Access-Reject, it can be # delayed for a few seconds. This may help slow down a DoS # attack. It also helps to slow down people trying to brute-force # crack a users password. # # Setting this number to 0 means "send rejects immediately" reject_delay = 1 }
in debug mode, does FreeRADIUS happily reject the client request but when run as a normal process, it throws the request towards other Auth mechanisms?
I'm not sure about *that* aspect of it. I've never seen it. But rejects are delayed in the default config.
Hi,
# Setting this number to 0 means "send rejects immediately" reject_delay = 1
i know this one - but why the change in behaviour when running in debug mode (where it all works fine - nice 1 second timeout, no checking against other Authentication methods etc) compared to running as a real service? alan
A.L.M.Buxey@lboro.ac.uk wrote:
i know this one - but why the change in behaviour when running in debug mode (where it all works fine - nice 1 second timeout, no checking against other Authentication methods etc) compared to running as a real service?
The "reject_delay" not working properly is a bug. And I'd be *very* suprised to see a request continuing against "other" authentication methods, because only one authentication method is used. Could you explain what you mean, maybe with debug traces? Alan DeKok.
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Phil Mayers