RFC compliance in sanitizing Access-Reject responses

Nicolas Baradakis nbk at sitadelle.com
Sat Sep 2 22:50:27 CEST 2006

Alan DeKok wrote:

> Nicolas Baradakis <nbk at sitadelle.com> wrote:
> > 1. Allowing VSA in the reply packets is really a bug: if you have an
> > existing username with a wrong password, the VSA useful to set up a
> > connection were pulled from the database during autorize and are send
> > in the reject packet.
>   That's more of a bug that the return attributes are set up before
> the user is fully authentication.  They should be configured *after*
> authentication.

Until now it's the only method to get reply items from a SQL
database: you have to use the "authorize_reply_query" directive.
I'm not using LDAP, but I think this module adds VP to the reply
packet during authorize, too.

Is it reasonable to modify the SQL queries in version 2.0? We could
get only the check items in authorize, and the reply items will be
pulled later in post-auth. (only if login is successful)

As the failed login attempts represent a significant part of the total
RADIUS traffic, this should notably reduce the load of the backend
database. (we don't query reply items if not needed)

Nicolas Baradakis

More information about the Freeradius-Devel mailing list