VSA attributes sent with Access-Reject response
Alan DeKok
aland at deployingradius.com
Thu May 15 16:53:06 CEST 2014
Contact (COEXSI) wrote:
> Doing some tests with FreeRADIUS Version 2.2.3, we have noticed that the VSA
> attributes normally sent with an Access-Accept response were also sent on
> Access-Reject response.
> This was also observed with the Access-Challenge response sent by the server
> when doing EAP exchange.
>
> This doesn't seem normal as per the FAQ :
> http://wiki.freeradius.org/guide/faq#VSA-in-Access-Reject
> "According RFC 2865 (section 5.44) Vendor-Specific Attributes aren't allow
> in Access-Reject packets."
You edited the default configuration, and broke it.
The default configuration has the following:
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
# sql
attr_filter.access_reject
}
There is a similar line for EAP and Access-Challenge. The debug log
shows you've removed the "attr_filter.access_reject" line. Which is why
you're getting VSAs in the Access-Reject.
Alan DeKok.
More information about the Freeradius-Users
mailing list