3.0.10 and auth+acct type under the listen section
Hi I'm working on an in-place rebuild of another radius product using 3.0.10 and noticed something very stupid that an upstream NAS is doing. It's going to be a major challenge to get the upstream NAS corrected. It's sending Auth & Acct messages on 1646. I tried setting the type to auth+acct in the sites-enabled/default listen section: listen { ipaddr = * port = 1646 type = auth+acct # interface = eth0 # clients = per_socket_clients But if I receive an accounting message on that port, it gets rejected: Listening on auth+acct address * port 1646 bound to server default Ready to process requests Receive - Invalid packet code 4 sent to authentication port from client Mobile port 50016 Ready to process requests If I swap it back to acct then the Auth messages get rejected. Any ideas on how to sort this?
On Mon, Dec 21, 2015 at 09:38:14AM +1300, Peter Lambrechtsen wrote:
It's sending Auth & Acct messages on 1646.
I tried setting the type to auth+acct in the sites-enabled/default listen section:
That means use the specified port from auth, and port+1 for acct.
Listening on auth+acct address * port 1646 bound to server default Ready to process requests Receive - Invalid packet code 4 sent to authentication port from client
See src/main/listen.c auth_socket_recv/acct_socket_recv. This isn't something you can override in the config.
Any ideas on how to sort this?
Get a new NAS, from the sound of it... Maybe there's some other software out there that will take something broken like this and proxy it through in a sane way? Or iptables u32 match on the packet code and redirect to the correct port... iptables -t nat -A PREROUTING \ -p udp --dport 1812 \ -m u32 --u32 "25&0xff=0x4" \ -j REDIRECT --to-ports 1813 I can't believe I just did that; eugh. This is completely not recommended. Fix the NAS. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Dec 20, 2015, at 3:38 PM, Peter Lambrechtsen <peter@crypt.co.nz> wrote:
I'm working on an in-place rebuild of another radius product using 3.0.10 and noticed something very stupid that an upstream NAS is doing. It's going to be a major challenge to get the upstream NAS corrected.
It's sending Auth & Acct messages on 1646.
1646 has been deprecated for 15+ years. Using one port for auth and acct was *never* allowed. Please name and shame the vendor. There is *no* reason in 2015 to have such non-compliant behaviour.
I tried setting the type to auth+acct in the sites-enabled/default listen section:
listen { ipaddr = * port = 1646 type = auth+acct # interface = eth0 # clients = per_socket_clients
Hm... that's allowed only for TCP sockets. It's parsed but ignored for UDP sockets. I suppose that should be fixed.
But if I receive an accounting message on that port, it gets rejected:
Yes.
If I swap it back to acct then the Auth messages get rejected.
Yes.
Any ideas on how to sort this?
Honestly, patch auth_socket_recv() to allow both Access-Request and Accounting-Request packets. Nothing else in the code will care. That should be ~15 lines or so. We disallow it because it's wrong, and we want to discourage bad behaviour. Alan DeKok.
Thank you both for the great advice. It turns out it was incorrect proxy configuration in 8950. Sorted it out with a single line change in non-production, now the fun to get it deployed into production. On Mon, Dec 21, 2015 at 2:23 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 20, 2015, at 3:38 PM, Peter Lambrechtsen <peter@crypt.co.nz> wrote:
I'm working on an in-place rebuild of another radius product using 3.0.10 and noticed something very stupid that an upstream NAS is doing. It's going to be a major challenge to get the upstream NAS corrected.
It's sending Auth & Acct messages on 1646.
1646 has been deprecated for 15+ years. Using one port for auth and acct was *never* allowed.
Please name and shame the vendor. There is *no* reason in 2015 to have such non-compliant behaviour.
I tried setting the type to auth+acct in the sites-enabled/default listen section:
listen { ipaddr = * port = 1646 type = auth+acct # interface = eth0 # clients = per_socket_clients
Hm... that's allowed only for TCP sockets. It's parsed but ignored for UDP sockets. I suppose that should be fixed.
But if I receive an accounting message on that port, it gets rejected:
Yes.
If I swap it back to acct then the Auth messages get rejected.
Yes.
Any ideas on how to sort this?
Honestly, patch auth_socket_recv() to allow both Access-Request and Accounting-Request packets. Nothing else in the code will care. That should be ~15 lines or so.
We disallow it because it's wrong, and we want to discourage bad behaviour.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Matthew Newton -
Peter Lambrechtsen