3.0.10 and auth+acct type under the listen section
Peter Lambrechtsen
peter at crypt.co.nz
Mon Dec 21 02:54:15 CET 2015
Thank you both for the great advice.
It turns out it was incorrect proxy configuration in 8950.
Sorted it out with a single line change in non-production, now the fun to
get it deployed into production.
On Mon, Dec 21, 2015 at 2:23 PM, Alan DeKok <aland at deployingradius.com>
wrote:
> On Dec 20, 2015, at 3:38 PM, Peter Lambrechtsen <peter at crypt.co.nz> wrote:
> > I'm working on an in-place rebuild of another radius product using 3.0.10
> > and noticed something very stupid that an upstream NAS is doing. It's
> going
> > to be a major challenge to get the upstream NAS corrected.
> >
> > It's sending Auth & Acct messages on 1646.
>
> 1646 has been deprecated for 15+ years. Using one port for auth and
> acct was *never* allowed.
>
> Please name and shame the vendor. There is *no* reason in 2015 to have
> such non-compliant behaviour.
>
> > I tried setting the type to auth+acct in the sites-enabled/default listen
> > section:
> >
> > listen {
> > ipaddr = *
> > port = 1646
> > type = auth+acct
> > # interface = eth0
> > # clients = per_socket_clients
>
> Hm... that's allowed only for TCP sockets. It's parsed but ignored for
> UDP sockets. I suppose that should be fixed.
>
> > But if I receive an accounting message on that port, it gets rejected:
>
> Yes.
>
> > If I swap it back to acct then the Auth messages get rejected.
>
> Yes.
>
> > Any ideas on how to sort this?
>
> Honestly, patch auth_socket_recv() to allow both Access-Request and
> Accounting-Request packets. Nothing else in the code will care. That
> should be ~15 lines or so.
>
> We disallow it because it's wrong, and we want to discourage bad
> behaviour.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list