access reject problem

Alan DeKok aland at
Fri Jan 13 14:47:57 CET 2017

On Jan 13, 2017, at 8:33 AM, Greg Antic <greg.antic at> wrote:
> The radpostauth table shows the rejects up until the point that a session starts in radacct and then the rejects stop in the radpostauth table, I wasn’t clear on that initially below.

  I understand.

  Are you logging Access-Accepts in the radpostauth table?  From the looks of it, the answer is either (1) No, or (2) yes, and there are no Access-Accepts being sent.

> When the session arrives in the radacct table the customer goes back online like a full successful authentication has taken place.  

  Please read what I read.  I don't want to think I wasted my time trying to help you.

  The NAS is in *complete control* of the user access.  The RADIUS server is acting only as an advisor.

  If FreeRADIUS sends an Access-Reject, the NAS may still allow the user on... if it's broken.  There is nothing that FreeRADIUS can do about this.

  Again, you need to find out what's happening.  Log Access-Accepts, and use radsniff as a double-check.  If FreeRADIUS never sends Access-Accepts but the NAS still lets the user on... the NAS is broken.  Throw it in the garbage, and buy a new one.

  There is just no situation possible where FreeRADIUS magically returns an Access-Accept.  There *are* situations possible where a NAS is broken.  Or where a NAS has a "fail to accept" VLAN, and lets the user on when the server returns a reject, or is unresponsive.

  Alan DeKok.

More information about the Freeradius-Users mailing list