Possible bug in configurable failover
Brian Candler
B.Candler at pobox.com
Sun Mar 13 21:02:55 CET 2011
I think I've found a bug in configurable failover - or at least, it doesn't
correspond to any behaviour I can see documented, but I thought I'd raise it
here before making a ticket.
To replicate: start with stock freeradius 2.1.x, uncomment the "steve" entry
from the users file, and apply the following config changes:
--- etc/raddb/sites-available/default.orig 2011-03-13 19:48:20.584961000 +0000
+++ etc/raddb/sites-available/default 2011-03-13 19:47:09.244961001 +0000
@@ -237,7 +237,11 @@
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
- pap
+ pap {
+ ok = return
+ reject = 1
+ }
+ testing_module
}
#
--- etc/raddb/policy.conf.orig 2011-03-13 19:48:26.154961000 +0000
+++ etc/raddb/policy.conf 2011-03-13 19:49:45.434961000 +0000
@@ -194,4 +194,18 @@
noop
}
}
+
+ testing_module {
+ if (1) {
+ update reply {
+ Reply-Message += "Foo"
+ }
+ }
+ if (1) {
+ update reply {
+ Reply-Message += "Bar"
+ }
+ ok
+ }
+ }
}
The idea is using a module to turn an access reject into an access reject
under certain circumstances. It just happens to have two separate 'if'
statements (and this is what triggers the bug)
Everything is fine if you give the correct password for steve. If you give
the wrong password, something strange happens:
$ bin/radtest steve badpass localhost 1 testing123
Sending Access-Request of id 221 to 127.0.0.1 port 1812
User-Name = "steve"
User-Password = "badpass"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=221, length=25
Reply-Message = "Foo"
You can see that only the first 'if' statement has been executed, and then
it has dropped out of the module entirely, keeping the reject status.
As a workaround, you can insert a 'noop':
--- etc/raddb/policy.conf.orig 2011-03-13 19:48:26.154961000 +0000
+++ etc/raddb/policy.conf 2011-03-13 19:57:42.294961000 +0000
@@ -194,4 +194,19 @@
noop
}
}
+
+ testing_module {
+ if (1) {
+ update reply {
+ Reply-Message += "Foo"
+ }
+ noop
+ }
+ if (1) {
+ update reply {
+ Reply-Message += "Bar"
+ }
+ ok
+ }
+ }
}
And then it behaves how I would have expected in the first place, without
the noop:
$ bin/radtest steve badpass localhost 1 testing123
Sending Access-Request of id 159 to 127.0.0.1 port 1812
User-Name = "steve"
User-Password = "badpass"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=159, length=81
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 172.16.3.33
Framed-IP-Netmask = 255.255.255.0
Framed-Routing = Broadcast-Listen
Filter-Id = "std.ppp"
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
Reply-Message = "Foo"
Reply-Message = "Bar"
Any thoughts as to what is going on here?
Thanks,
Brian.
More information about the Freeradius-Devel
mailing list