We have a couple customers whose FreeRADIUS servers do not respond if a user does not exist on their FreeRADIUS system. If a user authenticates using username: idontexist and password: notarealpass the FreeRADIUS server does NOT send an access denied response, and indeed sends no response at all. I vaguely remember that this may have been an available setting on FreeRADIUS, but can find no information about it on the internet. I have been unable to recreate this problem in our lab and the customers who administer these servers seem to be unable to find any explanation. Please note I have no access to the servers that this happens on. The servers are owned by customers of ours. So basically, is there a setting that causes the FreeRADIUS server to not respond to Access-Request packets if the username contained there-in is not found in whatever database it is using?
On Tue, Jul 10, 2012 at 8:56 PM, perl-list <perl-list@network1.net> wrote:
So basically, is there a setting that causes the FreeRADIUS server to not respond to Access-Request packets if the username contained there-in is not found in whatever database it is using?
Yes. Or to be accurate, there's a setting that allows you to not respond on any condition you choose, depending where and how you use it. https://github.com/alandekok/freeradius-server/blob/v2.1.x/raddb/policy.conf look for "do_not_respond" -- Fajar
On Tue, Jul 10, 2012 at 9:13 PM, Fajar A. Nugraha <list@fajar.net> wrote:
On Tue, Jul 10, 2012 at 8:56 PM, perl-list <perl-list@network1.net> wrote:
So basically, is there a setting that causes the FreeRADIUS server to not respond to Access-Request packets if the username contained there-in is not found in whatever database it is using?
Yes.
Or to be accurate, there's a setting that allows you to not respond on any condition you choose, depending where and how you use it.
https://github.com/alandekok/freeradius-server/blob/v2.1.x/raddb/policy.conf
look for "do_not_respond"
... or it might be just a really long delay: https://github.com/alandekok/freeradius-server/blob/v2.1.x/raddb/radiusd.con... look for "reject_delay". -- Fajar
Thank you, Fajar. ----- Original Message -----
From: "Fajar A. Nugraha" <list@fajar.net> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Tuesday, July 10, 2012 10:13:27 AM Subject: Re: Not responding when a user is unknown
On Tue, Jul 10, 2012 at 8:56 PM, perl-list <perl-list@network1.net> wrote:
So basically, is there a setting that causes the FreeRADIUS server to not respond to Access-Request packets if the username contained there-in is not found in whatever database it is using?
Yes.
Or to be accurate, there's a setting that allows you to not respond on any condition you choose, depending where and how you use it.
https://github.com/alandekok/freeradius-server/blob/v2.1.x/raddb/policy.conf
look for "do_not_respond"
-- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 10/07/12 14:56, perl-list wrote:
So basically, is there a setting that causes the FreeRADIUS server to not respond to Access-Request packets if the username contained there-in is not found in whatever database it is using?
If you're running a recent version of the server, and you configure it that way, it can to that. See the "do_not_respond" policy in "policy.conf". This is usually a bad idea unless you have a very good understanding of what you want to achieve. It's a particularly bad idea if you do it on some usernames and not others, as downstream clients (NAS or proxy clients) will mark the server dead based on untrusted input (the username).
On 10 Jul 2012, at 14:56, perl-list wrote:
We have a couple customers whose FreeRADIUS servers do not respond if a user does not exist on their FreeRADIUS system. If a user authenticates using username: idontexist and password: notarealpass the FreeRADIUS server does NOT send an access denied response, and indeed sends no response at all. I vaguely remember that this may have been an available setting on FreeRADIUS, but can find no information about it on the internet. I have been unable to recreate this problem in our lab and the customers who administer these servers seem to be unable to find any explanation.
Please note I have no access to the servers that this happens on. The servers are owned by customers of ours.
So basically, is there a setting that causes the FreeRADIUS server to not respond to Access-Request packets if the username contained there-in is not found in whatever database it is using?
No, but there is a policy, see raddb/policy.conf. If you call the 'do_not_respond' policy the server won't respond… Calling or returning handled would probably have the same effect depending on the section… Without debug logs there's not much else to suggest. Seeing as you're a business, commercial support is available if you're desperate and can't get this figured out - http://freeradius.org/business/ -Arran
participants (4)
-
Arran Cudbard-Bell -
Fajar A. Nugraha -
perl-list -
Phil Mayers