access reject problem
Alan DeKok
aland at deployingradius.com
Fri Jan 13 14:47:57 CET 2017
On Jan 13, 2017, at 8:33 AM, Greg Antic <greg.antic at stc.za.com> wrote:
>
> The radpostauth table shows the rejects up until the point that a session starts in radacct and then the rejects stop in the radpostauth table, I wasn’t clear on that initially below.
I understand.
Are you logging Access-Accepts in the radpostauth table? From the looks of it, the answer is either (1) No, or (2) yes, and there are no Access-Accepts being sent.
> When the session arrives in the radacct table the customer goes back online like a full successful authentication has taken place.
Please read what I read. I don't want to think I wasted my time trying to help you.
The NAS is in *complete control* of the user access. The RADIUS server is acting only as an advisor.
If FreeRADIUS sends an Access-Reject, the NAS may still allow the user on... if it's broken. There is nothing that FreeRADIUS can do about this.
Again, you need to find out what's happening. Log Access-Accepts, and use radsniff as a double-check. If FreeRADIUS never sends Access-Accepts but the NAS still lets the user on... the NAS is broken. Throw it in the garbage, and buy a new one.
There is just no situation possible where FreeRADIUS magically returns an Access-Accept. There *are* situations possible where a NAS is broken. Or where a NAS has a "fail to accept" VLAN, and lets the user on when the server returns a reject, or is unresponsive.
Alan DeKok.
More information about the Freeradius-Users
mailing list