Version 3.0.12 reply:Packet-Type not set to Access-Reject in Post-Auth-Type REJECT section

Thor Spruyt thor.spruyt at telenet.be
Fri Nov 18 15:36:33 CET 2016 

Hi, 

I stumbled upon a possible issue with v3.0.12 when rejecting a previously accepted user in de post-auth section. 

Here's my linelog module instance and post-auth section configuration: 

linelog linelog_auth { 
    filename = ${logdir}/radius.log 
    reference = "%{reply:Packet-Type}" 
    format = "" 
    Access-Accept = "%t : Access-Accept: User-Name=%{User-Name}" 
    Access-Reject = "%t : Access-Reject: User-Name=%{User-Name}" 
} 

post-auth { 
    # ACCEPT { 
        reject 
        linelog_auth 
    # } 
    Post-Auth-Type REJECT { 
        linelog_auth 
    } 
} 

And here's the debugging output: 

(0) Auth-Type PAP { 
(0) pap: Login attempt with password 
(0) pap: Comparing with "known-good" SSHA-Password 
(0) pap: User authenticated successfully 
(0) [pap] = ok 
(0) } # Auth-Type PAP = ok 
(0) # Executing section post-auth from file /etc/raddb/server.conf 
(0) post-auth { 
(0) [reject] = reject 
(0) } # post-auth = reject 
(0) Using Post-Auth-Type Reject 
(0) # Executing group from file /etc/raddb/server.conf 
(0) Post-Auth-Type REJECT { 
(0) linelog_auth: EXPAND %{reply:Packet-Type} 
(0) linelog_auth: --> Access-Accept 
(0) linelog_auth: EXPAND %t : Access-Accept: User-Name=%{User-Name} 
(0) linelog_auth: --> Fri Nov 18 15:12:54 2016 : Access-Accept: User-Name=x 
(0) linelog_auth: EXPAND /var/log/radius/radius.log 
(0) linelog_auth: --> /var/log/radius/radius.log 
(0) [linelog_auth] = ok 
(0) } # Post-Auth-Type REJECT = ok 
(0) Sent Access-Reject Id 48 from x.x.x.x:1812 to x.x.x.x:1814 length 0 
(0) Finished request 

So using the always reject module in post-auth works to get an Access-Reject at the end. 
But for some reason, it looks like the reply:Packet-Type is not changed to Access-Reject when entering the Post-Auth-Type REJECT section. 

Am I forgetting to set something in addition to just "reject" or should the reply:Packet-Type value have been updated when the linelog module is called ?

My workaround would be to set reply:Packet-Type in the Post-Auth-Type REJECT section before calling the linelog module.
Like so and then it works ok:
post-auth { 
    # ACCEPT { 
        reject 
        linelog_auth 
    # } 
    Post-Auth-Type REJECT { 
        update reply {
            Packet-Type := Access-Reject
        }
        linelog_auth 
    } 
} 
Would that be a good workaround or are there better workarounds ?

-- 
Regards, 
Thor

More information about the Freeradius-Users mailing list