Post-Auth-Type REJECT "broken" in 3.1.x

Thu Jun 23 17:02:28 CEST 2016

On Jun 23, 2016, at 10:54 AM, Matthew Newton <mcn4 at leicester.ac.uk> wrote:
> I'll take a look at it.

  Thanks.

> I guess 4.0.x might now be a good time to consider several things
> that have been around for a long time, but may no longer be
> particularly common or required.

  Yes.

> Looking at e.g. preprocess, there are a shedload of hacks for
> things that look pretty old. How many are still useful, or could
> be written as unlang policies instead?

  Many could be written as policies.  My only concern is performance.  While unlang is flexible, it's not particularly fast.  So having policies in C is often useful.

> With unlang, are hints and huntgroups still worth keeping? Is
> preprocess still needed at all? Is there a more generic way
> rlm_files could work to cover the same thing?

  The files module might be able to do something similar.

> Things like mschap NT domain hack...
> 
> Talk a while back about renameing authorize{}, post-auth{} etc.
> Though I don't think there were any conclusive arguments.

  It's started in 4.0.  :(

  The argument is simple: keeping the existing methods is RADIUS-specific, confusing, etc.

Q: what happens when the server sends an Access-Reject?

A:  it runs the post-auth section, and for that, the Post-Auth-Type Reject subsection

Q: Huh?  What kind of crack are you guys on anyways?

A: :(

  In 4.0, it's now:

send Access-Reject {
	...
}

  Simple.  Very, very, simple.

  Also, the non-RADIUS protocols are currently hacked together by running them through "authorize" or "post-auth" sections.  That's terrible.  In 4.0, it's:

recv DHCP-Foo {
}

send DHCP-Bar {

}

  Which is again much simpler.

  See src/modules/proto_radius/proto_radius_acct.c for details

> I don't have any idea whether people are still using any of
> this stuff...

  There are occasional questions about hunt groups, nothing about hints.

  TBH, hints could go today.  The hunt groups could be removed, and replaced with "use a database".

  Many of the other NAS-specific hacks can be removed.  They've been there for 18 years, and I don't think any of that equipment is still running.  If it is, people can just write "unlang" for it.

  Alan DeKok.