VSA attributes sent with Access-Reject response

Alan DeKok aland at deployingradius.com
Thu May 15 16:53:06 CEST 2014

Contact (COEXSI) wrote:
> Doing some tests with FreeRADIUS Version 2.2.3, we have noticed that the VSA
> attributes normally sent with an Access-Accept response were also sent on
> Access-Reject response.
> This was also observed with the Access-Challenge response sent by the server
> when doing EAP exchange.
> This doesn't seem normal as per the FAQ :
> http://wiki.freeradius.org/guide/faq#VSA-in-Access-Reject
> "According RFC 2865 (section 5.44) Vendor-Specific Attributes aren't allow
> in Access-Reject packets."

  You edited the default configuration, and broke it.

  The default configuration has the following:

	Post-Auth-Type REJECT {
		# log failed authentications in SQL, too.
#		sql

  There is a similar line for EAP and Access-Challenge.  The debug log
shows you've removed the "attr_filter.access_reject" line.  Which is why
you're getting VSAs in the Access-Reject.

  Alan DeKok.

More information about the Freeradius-Users mailing list