RFC compliance for Access Challenge

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Mon Dec 12 14:06:00 CET 2011


Hi,

>    Would like to know why Free Radius is putting the user configuration data
>    in Access Challenge ?

as per attrs.access_challenge


#	This configuration file is used to remove almost all of the
#	attributes From an Access-Challenge message.  The RFC's say
#	that an Access-Challenge packet can contain only a few
#	attributes.  We enforce that here.
#
DEFAULT
	EAP-Message =* ANY,
	State =* ANY,
	Message-Authenticator =* ANY,
	Reply-Message =* ANY,
	Proxy-State =* ANY,
	Session-Timeout =* ANY,
	Idle-Timeout =* ANY

this would suggest strongly that you arent actually USING this filter to
follow the RFCs that you are so strongly advocating in your post - this
filter file is define in modules/attrs 

attr_filter attr_filter.access_challenge {
	key = %{User-Name}
	attrsfile = ${confdir}/attrs.access_challenge
}



now....read the sites-enabled/default as provided with the server, scroll
down to the 'eap' authentication and then you'll see the next 12 lines have
the bit that will enable this filter.  its commented out by default because
its an RFC that not many people care about (having seen junk from IAS/NPS and
ACS, FreeRADIUS is already *quite* RFC compliant without tis extra bit of OCD  ;-)

alan



More information about the Freeradius-Users mailing list