aland at deployingradius.com
Sun Dec 21 07:44:53 CET 2008
Anders Holm wrote:
> Heh. I sure did. Though, I'm thinking slightly differently I suppose..
> "How can something be accepted which has not been requested?".
That is the definition of how Status-Server works. This definition
goes back to 1996 in a number of RADIUS servers. It is now being
Which was written by... me.
> And I
> understand why the Accepts increment. I just don't understand why the
> Requests aren't, as that how I'd look at a query to get the Status, a
> Request which specifically is an Access-Request to get Status-Server
> data returned. At least, that is my view.
Are you being deliberately obtuse? Or just deliberately difficult?
a) There is a counter for Access-Requests
b) There is a counter for Access-Accepts
c) The response to Status-Server is Access-Accept
That's how it works. 3 simple rules that anyone should be able to
understand. There is no counter for Status-Server, and the
"Access-Request" counter is not incremented when a "Status-Server"
packet is received.
Why? Because Status-Server packets aren't Access-Request packets!
They're spelled differently! And *pronounced* differently!
> Considering I'm using exactly what the example from the Wiki tells me,
> there is an Authentication, so logically, I'm asking for Access.
> "# echo "Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 1" | \"
Now you are being *deliberately* misleading. The next line that you
*conveniently* didn't quote is:
radclient localhost:18120 status adminsecret
See the "status" word? The "radclient" documentation says that this
means "send Status-Server".
And nothing is being authenticated. No user, no machine, nothing.
Nothing is asking for access.
> So, Access-Accepts I got no problem with. That stacks up. Requests and
> Rejects is what I'm curious about. If my shared secret is wrong for
> example, doesn't that get counted as an Access-Reject, or doesn't it get
> counted at all?
This is a fascinating discusion in how a simple example can be twisted
into something unrecognizable.
The RADIUS *packet* is being signed. No RADIUS *users* are being
authenticated. And the response to a Status-Server is *never*
Go read my draft. If you don't understand it, read it again. If you
still don't understand it, ask someone *else* about it.
>> There is only one Status-Server packet. I don't know what you mean by
> If one separates the Requests versus Accepts and Rejects, I'd see 3 ..
> If one follows the set examples for other counters anyway.
Nonsense. This confusion happens only because you fail to comprehend
the 3 simple rules I posted above. Instead, you are working valiently
to come up with a tortured explanation based on a near-total
> Sure. In your own scenario you're considering several clients. On disk
> isn't good enough either. Losing a disk also means losing data.
You only have one disk? You must be terribly poor.
More information about the Freeradius-Users