3.0.10 and auth+acct type under the listen section
Alan DeKok
aland at deployingradius.com
Mon Dec 21 02:23:40 CET 2015
On Dec 20, 2015, at 3:38 PM, Peter Lambrechtsen <peter at crypt.co.nz> wrote:
> I'm working on an in-place rebuild of another radius product using 3.0.10
> and noticed something very stupid that an upstream NAS is doing. It's going
> to be a major challenge to get the upstream NAS corrected.
>
> It's sending Auth & Acct messages on 1646.
1646 has been deprecated for 15+ years. Using one port for auth and acct was *never* allowed.
Please name and shame the vendor. There is *no* reason in 2015 to have such non-compliant behaviour.
> I tried setting the type to auth+acct in the sites-enabled/default listen
> section:
>
> listen {
> ipaddr = *
> port = 1646
> type = auth+acct
> # interface = eth0
> # clients = per_socket_clients
Hm... that's allowed only for TCP sockets. It's parsed but ignored for UDP sockets. I suppose that should be fixed.
> But if I receive an accounting message on that port, it gets rejected:
Yes.
> If I swap it back to acct then the Auth messages get rejected.
Yes.
> Any ideas on how to sort this?
Honestly, patch auth_socket_recv() to allow both Access-Request and Accounting-Request packets. Nothing else in the code will care. That should be ~15 lines or so.
We disallow it because it's wrong, and we want to discourage bad behaviour.
Alan DeKok.
More information about the Freeradius-Users
mailing list