VSA attributes sent with Access-Reject response

Contact (COEXSI) contact at coexsi.fr
Thu May 15 22:03:52 CEST 2014 

> Date: Thu, 15 May 2014 10:53:06 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Subject: Re: VSA attributes sent with Access-Reject response
> Message-ID: <5374D4D2.2070504 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Contact (COEXSI) wrote:
> > Doing some tests with FreeRADIUS Version 2.2.3, we have noticed that
> > the VSA attributes normally sent with an Access-Accept response were
> > also sent on Access-Reject response.
> > This was also observed with the Access-Challenge response sent by the
> > server when doing EAP exchange.
> >
> > This doesn't seem normal as per the FAQ :
> > http://wiki.freeradius.org/guide/faq#VSA-in-Access-Reject
> > "According RFC 2865 (section 5.44) Vendor-Specific Attributes aren't
> > allow in Access-Reject packets."
> 
>   You edited the default configuration, and broke it.
> 
>   The default configuration has the following:
> 
> 	Post-Auth-Type REJECT {
> 		# log failed authentications in SQL, too.
> #		sql
> 		attr_filter.access_reject
> 	}
> 

Thank you Alan, this solve the problem for the Access-Reject response!
The default configuration explanation wasn't that clear for me.

>   There is a similar line for EAP and Access-Challenge.  The debug log
> shows you've removed the "attr_filter.access_reject" line.  Which is why
> you're getting VSAs in the Access-Reject.
> 

For filtering the Access-Challenge response when doing EAP, I've these lines
(commented) in the default configuration:

#	Auth-Type eap {
#		eap {
#			handled = 1  
#		}
#		if (handled && (Response-Packet-Type == Access-Challenge)) {
#			attr_filter.access_challenge.post-auth
#			handled  # override the "updated" code from
attr_filter
#		}
#	}

When uncommenting them, I've a configuration parsing error:

Failed to find "handled" in the "modules" section.
Failed to parse "handled" entry.
Failed to parse "if" subsection.

The parsing error seems to be linked to the line "handled  # override the
"updated" code from attr_filter".
I didn't find a definition of the "handled" keyword to understand the error.

>   Alan DeKok.
>

More information about the Freeradius-Users mailing list