Sending a disconnect message when replying with an access reject.
Peter Lambrechtsen
peter at crypt.co.nz
Thu Apr 18 22:48:07 CEST 2013
On Thu, Apr 18, 2013 at 11:35 PM, Matthew Newton <mcn4 at leicester.ac.uk> wrote:
> On Thu, Apr 18, 2013 at 05:52:16PM +1200, Peter Lambrechtsen wrote:
>> When I setup the post-auth policy to send a update disconnect it works fine
>> if the response is an access accept. But if I update the control to access
>> reject the disconnect module gives me a noop.
>
> As a guess:
>
> The Post-Auth-Type REJECT section in the inner-tunnel is never
> called. This is fixed in v2.x.x HEAD and master.
>
> Post-Auth-Type REJECT in the outer tunnel is fine.
>
> This might be your problem.
Under the authorize section I have:
if (ADSL-Agent-Remote-Id !~ /COMP/ ) {
update disconnect {
Acct-Session-Id = "7444"
}
# update control {
# Auth-Type := Reject
# }
}
This was just for testing to see if I could send a Disconnect from
within the Authorize section.
In the trace I see:
+++? if (ADSL-Agent-Remote-Id !~ "xxx" ) -> TRUE
+++- entering if (ADSL-Agent-Remote-Id !~ "xxx" ) {...}
++++[disconnect] returns ok
Then at the end of the log I see:
Sending Access-Accept of id 161 to 172.25.1.1 port 62037
ERX-Virtual-Router-Name = "default:voiplm1"
WARNING: Empty pre-proxy section. Using default return values.
Sending Disconnect-Request of id 206 to 172.25.1.1 port 3799
Acct-Session-Id = "7444"
Finished request 3.
Going to the next request
Waking up in 1.2 seconds.
rad_recv: Disconnect-NAK packet from host 172.25.1.1 port 3799,
id=206, length=20
# Executing section post-proxy from file /etc/raddb/sites-enabled/default
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 3 ID 161 with timestamp +163
So in this case I see I get a NAK back (since I sent the wrong session ID).
Whereas if I have the Auth-Type := Reject then that rejects the
current packet, but I expected the Disconnect to still go through, but
this is what I see:
+++? if (ADSL-Agent-Remote-Id !~ "xxx" ) -> TRUE
+++- entering if (ADSL-Agent-Remote-Id !~ "xxx" ) {...}
++++[control] returns ok
++++[disconnect] returns ok
++++- entering policy do_not_respond {...}
+++++[control] returns ok
+++++[handled] returns handled
++++- policy do_not_respond returns handled
+++- if (ADSL-Agent-Remote-Id !~ "xxx" ) returns handled
Whereas all I send back is:
Sending Access-Reject of id 165 to 172.25.1.1 port 62037
ERX-Virtual-Router-Name = "default:voiplm1"
Waking up in 4.9 seconds.
The Disconnect never get sent.
I even tried adding it into post-auth as well under the Post-Auth-Type REJECT:
Post-Auth-Type REJECT {
update disconnect {
Acct-Session-Id = "7444"
}
}
And the module returns a noop:
Auth-Type = Reject, rejecting user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
++[disconnect] returns noop
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 186 to 172.25.1.1 port 62037
ERX-Virtual-Router-Name = "default:voiplm1"
Waking up in 4.9 seconds.
Any ideas?
Cheers
Peter
More information about the Freeradius-Users
mailing list