silently drop packet (access-request)

Alan DeKok aland at
Thu Feb 9 18:08:14 CET 2006

Andriy Gapon <avg at> wrote:
> I think that it would be nice if list of such situations could be
> configurable and extensible.


  Dropping the packet is a security decision and there is no reason to
make it configurable.

> For example, there are some RADIUS-related solutions/drafts out
> there that require requests being silently dropped if they don't
> have Message-Authenticator or have incorrect value of
> Message-Authenticator. Neither can be done now with FreeRADIUS
> without modifying its source code.

  Then we will modify the source code to add those cases, like we did
when EAP support was added.

> 1. have a configurable list of attributes that require
> Message-Authenticator (so that I could put Message-Digest there, for
> example, in addition to EAP-Message)

  Then people will edit the list to break the server.  No.

> 2. have a configuration knob that could tell "drop all incoming messages
> without Message-Authenticator"

  That could be done.

> 3. do Message-Authenticator value validation in rad_recv() (this could
> be configurable too, defaulting to current behavior)

  No.  It's a perfomance issue.

> Even more flexible would be a capability to silently drop packet in any
> (auth) module, but I think that it would require a lot of work. BTW,
> there is a bug report in FreeRADIUS bugzilla related to this (it's not
> mine):

  It's a bad idea, it violates the RFC's, and it makes your network
more unstable.

  Alan DeKok.

More information about the Freeradius-Users mailing list