access reject problem

Greg Antic greg.antic at stc.za.com
Fri Jan 13 13:19:16 CET 2017


> Firstly, do you have a log which shows that FreeRADIUS actually returned Access-Accept? Turning on auth detail logging may help here - or better, capture all the radius traffic with tcpdump.

I can see the start radius packet in the NAS log, I will look at detail logging and packet capture. 

> If so, you might want to check how you've configured the database query.  If there is a temporary failure to retrieve the mysql query results, you want FreeRADIUS to reject, not to continue as if there was a successful query with no results.

When our mysql connection is "offline" nobody can authenticate to get a session. I had a look through the config files but can't see where you would set an implicit reject or default action? We use mysql on the same box so all connections are local. 

This is an account on an ADSL network, there are multiple NAS's sending the authentication requests to freeradius from the ADSL network. Right now the way I am preventing the account from coming up again is by changing the allowed calling id. 

Matthew has guided me on getting some logs so will travel the road and revert. 

-----Original Message-----
From: Brian Candler [mailto:b.candler at pobox.com] 
Sent: Friday, 13 January 2017 1:12 PM
To: Greg Antic <greg.antic at stc.za.com>; freeradius-users at lists.freeradius.org
Subject: Re: access reject problem

On 13/01/2017 07:18, Greg Antic wrote:
> The user account has been disabled and the auth-type set as per radcheck output below. The logs show rejected for many hours and all of a sudden it will start a session however the postauth table shows it was rejected. It's almost like freeradius gets tired of saying no and eventually gives in and says yes.

Firstly, do you have a log which shows that FreeRADIUS actually returned Access-Accept? Turning on auth detail logging may help here - or better, capture all the radius traffic with tcpdump.


If FreeRADIUS returned Access-Reject (which apparently the logs say), but the NAS allowed a session to start, then clearly the NAS is at fault.  I'd want tcpdump evidence to be sure it's that.

The alternative explanation is that FreeRADIUS is occasionally returning Access-Accept instead of Access-Reject, and again tcpdump will show you if that's the case.

If so, you might want to check how you've configured the database query.  If there is a temporary failure to retrieve the mysql query results, you want FreeRADIUS to reject, not to continue as if there was a successful query with no results.

In particular:

- are you using configurable failover between multiple databases?

- if so, have you ensured that if all sources are unavailable, the default is to reject?

It might be useful if you could simulate a mysql query error, for example by sending a bad SQL query or by shutting down the database, and seeing what happens in those circumstances.

But it seems rather odd, because your radcheck table contains the Cleartext-Password as well as the Auth-Type; so for a successful auth I would have thought at least the Cleartext-Password was being retrieved successfully.  This makes it seem unlikely that the database query is the problem.

Regards,

Brian.



More information about the Freeradius-Users mailing list