Need some help with Access-Reject messages in upgrade from FreeRadius1.1.0 to FreeRadius 2.0.5

tnt at kalik.net tnt at kalik.net
Tue Oct 21 23:07:39 CEST 2008


>Good morning, everybody.  I am working on an upgrade for our FreeRadius
>servers, which are currently at 1.1.0.    I have configured a test
>Radius server, which is running FreeRadius 2.0.5.  These are both
>Solaris 10 systems running SPARC, and our backend is LDAP.
>
>With FreeRadius 1.1.0, when a user is rejected, the rejection message
>looks like this on the client side:
>
>rad_recv: Access-Reject packet from host x.x.x.x:1645, id=251, length=49
>    Reply-Message = "Please, call the help desk."
>
>No matter what the user, if the user has a static IP, or any other
>information in his user profile, etc, that's all it has - the reject
>message.
>

That's how things should be (so says RFC).

>
>With FreeRadius 2.0.5, when a user is rejected, the rejection message
>has more information in it:
>
>rad_recv: Access-Reject packet from host x.x.x.x:1645, id=74, length=32
>    Framed-IP-Netmask = 255.255.255.255
>    Framed-IP-Address = x.x.x.x
>

That's bad. You have done something to the filter in post auth type
reject. Put that back the way it was.

>Admittedly, the configuration file for the 2.0.5 server is a mixture of
>1.1.0 config style, and 2.0.5 config style, leaning more towards the
>1.1.0 style, so it could simply be a result of old style getting in the
>way of the new, but I have gone through both configs, and I can't find
>out where my access-reject message in my users file is being either
>a)overwritten, or b) ignored outright.
>
>I've gone through the docs, and the wiki, but haven't found out what I'm
>missing. I'm running RADIUS 2.0.5 in  debug mode (-XXX), but haven't
>found anything pointing out what I'm doing wrong.    I can comment out
>the entries in ldap.attrmap, but that also means they don't get sent
>when the authentication succeeds.
>
>Here's the last line of my users file, below all other local users, and
>default entries:
>
>DEFAULT Auth-Type := Reject
>        Reply-Message = "Please, call the help desk."
>

Post the debug. It's extremly likely that something before this entry
matched but didn't have Fall-Through at the end.

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list