VSA attributes sent with Access-Reject response
Contact (COEXSI)
contact at coexsi.fr
Thu May 15 16:26:42 CEST 2014
Dear all,
Doing some tests with FreeRADIUS Version 2.2.3, we have noticed that the VSA
attributes normally sent with an Access-Accept response were also sent on
Access-Reject response.
This was also observed with the Access-Challenge response sent by the server
when doing EAP exchange.
This doesn't seem normal as per the FAQ :
http://wiki.freeradius.org/guide/faq#VSA-in-Access-Reject
"According RFC 2865 (section 5.44) Vendor-Specific Attributes aren't allow
in Access-Reject packets."
Below, there is a log for a simple PAP request with an intentionally wrong
password to generate an Access-Reject response from the server to illustrate
the issue.
The user clear text password and the attributes list are coming a MySQL
database using stored procedure.
Best regards,
Sebastien.
Output of radiusd -sX for the query:
====================================
rad_recv: Access-Request packet from host X.X.X.X port 32878, id=137,
length=165
Acct-Session-Id = "78e9e86a"
NAS-Port = 0
NAS-Port-Type = Virtual
User-Name = "my_nas"
Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
Called-Station-Id = "XX-XX-XX-XX-XX-XX"
Framed-IP-Address = X.X.X.X
User-Password = "wrong_password"
NAS-Identifier = "my_nas"
NAS-IP-Address = X.X.X.X
Framed-MTU = 1496
Connect-Info = "HTTPS"
Service-Type = Administrative-User
server my_server {
# Executing section authorize from file /etc/raddb/partner.conf
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[sql] expand: %{User-Name} -> my_nas
[sql] sql_set_user escaped user --> 'my_nas'
Closing socket 91 as its lifetime has been exceeded
rlm_sql (sql): Trying to (re)connect unconnected handle 91..
rlm_sql (sql): Attempting to connect rlm_sql_mysql #91
rlm_sql_mysql: Starting connect to MySQL server for #91
rlm_sql (sql): Connected new DB handle, #91
rlm_sql (sql): Reserving sql socket id: 91
rlm_sql (sql): got socket 91 after skipping 0 unconnected handles, tried to
reconnect 1 though
[sql] expand: CALL my_stored_procedure ('%{Virtual-Server}','AUTH_REQ'
,'%{User-Name}','%{Client-IP-Address}','%{Calling-Station-Id}','%{Acct-Sessi
on-Id}','%{NAS-Identifier}','%{Called-Station-Id}','%{Framed-Protocol}','%{A
cct-Delay-Time}','%{Acct-Terminate-Cause}','%{Acct-Session-Time}','%{Acct-Ou
tput-Packets}','%{Acct-Input-Packets}','%{Cleartext-Password}','%{reply:Pack
et-Type}','%{Acct-Status-Type}') -> CALL my_stored_procedure
('my_server','AUTH_REQ'
,'my_nas','X.X.X.X','XX-XX-XX-XX-XX-XX','78e9e86a','my_nas','XX-XX-XX-XX-XX-
XX','','','','','','','','0','')
[sql] User found in radcheck table
[sql] expand: CALL my_stored_procedure ('%{Virtual-Server}','AUTH_REPL'
,'%{User-Name}','%{Client-IP-Address}','%{Calling-Station-Id}','%{Acct-Sessi
on-Id}','%{NAS-Identifier}','%{Called-Station-Id}','%{Framed-Protocol}','%{A
cct-Delay-Time}','%{Acct-Terminate-Cause}','%{Acct-Session-Time}','%{Acct-Ou
tput-Packets}','%{Acct-Input-Packets}','%{Cleartext-Password}','%{reply:Pack
et-Type}','%{Acct-Status-Type}') -> CALL my_stored_procedure
('my_server','AUTH_REPL'
,'my_nas','X.X.X.X','XX-XX-XX-XX-XX-XX','78e9e86a','my_nas','XX-XX-XX-XX-XX-
XX','','','','','','','','0','')
rlm_sql (sql): Released sql socket id: 91
++[sql] = ok
++[pap] = updated
+} # group authorize = updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/partner.conf
+group PAP {
[pap] login attempt with password "wrong_password"
[pap] Using clear text password "xdwxknqpct"
[pap] Passwords don't match
++[pap] = reject
+} # group PAP = reject
Failed to authenticate the user.
} # server my_server
Using Post-Auth-Type REJECT
# Executing group from file /etc/raddb/partner.conf
+group REJECT {
[sql] expand: %{User-Name} -> my_nas
[sql] sql_set_user escaped user --> 'my_nas'
[sql] expand: CALL my_stored_procedure ('%{Virtual-Server}','AUTH_POST'
,'%{User-Name}','%{Client-IP-Address}','%{Calling-Station-Id}','%{Acct-Sessi
on-Id}','%{NAS-Identifier}','%{Called-Station-Id}','%{Framed-Protocol}','%{A
cct-Delay-Time}','%{Acct-Terminate-Cause}','%{Acct-Session-Time}','%{Acct-Ou
tput-Packets}','%{Acct-Input-Packets}','%{Cleartext-Password}','%{reply:Pack
et-Type}','%{Acct-Status-Type}') -> CALL my_stored_procedure
('my_server','AUTH_POST'
,'my_nas','X.X.X.X','XX-XX-XX-XX-XX-XX','78e9e86a','my_nas','XX-XX-XX-XX-XX-
XX','','','','','','','','Access-Reject','')
rlm_sql (sql) in sql_postauth: query is CALL my_stored_procedure
('my_server','AUTH_POST'
,'my_nas','X.X.X.X','XX-XX-XX-XX-XX-XX','78e9e86a','my_nas','XX-XX-XX-XX-XX-
XX','','','','','','','','Access-Reject','')
Closing socket 90 as its lifetime has been exceeded
rlm_sql (sql): Trying to (re)connect unconnected handle 90..
rlm_sql (sql): Attempting to connect rlm_sql_mysql #90
rlm_sql_mysql: Starting connect to MySQL server for #90
rlm_sql (sql): Connected new DB handle, #90
rlm_sql (sql): Reserving sql socket id: 90
rlm_sql (sql): got socket 90 after skipping 0 unconnected handles, tried to
reconnect 1 though
rlm_sql (sql): Released sql socket id: 90
++[sql] = ok
+} # group REJECT = ok
Delaying reject of request 8 for 5 seconds
Going to the next request
Waking up in 0.9 seconds.
Waking up in 3.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 137 to X.X.X.X port 32878
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Colubris-AVPair +=
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Waking up in 14.9 seconds.
More information about the Freeradius-Users
mailing list