Access-Request / Mandatory Attributes
Hi, I find that FreeRadius server allows access even without either of the mandatory attributes i.e. NAS-Identifier or NAS-IP-Address in the Access Request packet. Is this a deviation from RFC 2865 ? " .....An Access-Request SHOULD contain a User-Name attribute. It MUST contain either a NAS-IP-Address attribute or a NAS-Identifier attribute (or both)." Can someone clarify this please? Many thanks, rsg.
rsg wrote:
I find that FreeRadius server allows access even without either of the mandatory attributes i.e. NAS-Identifier or NAS-IP-Address in the Access Request packet.
Is this a deviation from RFC 2865 ?
No.
" .....An Access-Request SHOULD contain a User-Name attribute. It MUST contain either a NAS-IP-Address attribute or a NAS-Identifier attribute (or both)."
Can someone clarify this please?
It is a requirement on *client* implementations. It has no meaning for a RADIUS server. What do you suggest that a RADIUS server do if it receives a "non-compliant" packet? Discard it? Reject it? ... FreeRADIUS enforces security requirements. Nearly all of the other "MUST" statements are meant as "this is good practice". They can therefore be ignored. And they often *need* to be ignored for inter-operability with horrible vendor equipment. Alan DeKok.
Thanks for your prompt response Alan.
" .....An Access-Request SHOULD contain a User-Name attribute. It MUST contain either a NAS-IP-Address attribute or a NAS-Identifier attribute (or both)."
Can someone clarify this please?
It is a requirement on *client* implementations. It has no meaning for a RADIUS server.
What do you suggest that a RADIUS server do if it receives a "non-compliant" packet? Discard it? Reject it? ...
Yes, i came across a different vendor that Rejects requests without either of those mandatory attributes.
FreeRADIUS enforces security requirements. Nearly all of the other "MUST" statements are meant as "this is good practice". They can therefore be ignored. And they often *need* to be ignored for inter-operability with horrible vendor equipment.
I understand your point here; however in my opinion some vendors don't seem to be that flexible even when it comes to such client side requirements. Cheers,
rsg wrote:
What do you suggest that a RADIUS server do if it receives a "non-compliant" packet? Discard it? Reject it? ...
Yes, i came across a different vendor that Rejects requests without either of those mandatory attributes.
Throw that product in the garbage, and get a real RADIUS server.
FreeRADIUS enforces security requirements. Nearly all of the other "MUST" statements are meant as "this is good practice". They can therefore be ignored. And they often *need* to be ignored for inter-operability with horrible vendor equipment.
I understand your point here; however in my opinion some vendors don't seem to be that flexible even when it comes to such client side requirements.
Yes. Some vendors don't like shipping a product that works in the real world. Alan DeKok.
participants (2)
-
Alan DeKok -
rsg