response sent after do_not_respond called

Geoffrey D. Bennett g at netcraft.com.au
Tue Apr 24 07:35:15 CEST 2018 

Hi there,

I'm having trouble getting the do_not_respond policy working in the
post-auth section with FreeRADIUS 3.0.17.

I've got a minimal testcase, reproduced with an almost-default 3.0.17
config built from (I only disabled EAP, removed EAP references from
sites-enabled/default and enabled test user "bob" in
mods-config/files/authorize).

I can insert do_not_respond at the top of the authorize or
authenticate sections, and I get the expected behaviour (no response
sent and "Not responding to request", "Not sending reply to client"
messages in the "radiusd -X" output).

E.g.:

authenticate {
        Auth-Type PAP {
                do_not_respond
...

If I insert do_not_respond at the top of the post-auth section, then
an Access-Accept response is sent.

E.g.:

post-auth {
        do_not_respond
...

Here are the differences between the "radiusd -X" output working vs.
not-working:

Working (do_not_respond in authenticate section):

(0) Found Auth-Type = PAP
(0) # Executing group from file .../freeradius-server-3.0.17/raddb/sites-enabled/default
(0)   Auth-Type PAP {
(0)     policy do_not_respond {
(0)       update control {
(0)         &Response-Packet-Type := Do-Not-Respond
(0)       } # update control = noop
(0)       [handled] = handled
(0)     } # policy do_not_respond = handled
(0)   } # Auth-Type PAP = handled
(0) Not responding to request
(0) # Executing section post-auth from file .../freeradius-server-3.0.17/raddb/sites-enabled/default
(0)   post-auth {
(0)     update {
(0)       No attributes updated
(0)     } # update = noop
(0)     [exec] = noop
(0)   } # post-auth = noop
(0) Not sending reply to client.
(0) Finished request

Not working (do_not_respond in post-auth section):

(0) Found Auth-Type = PAP
(0) # Executing group from file .../freeradius-server-3.0.17/raddb/sites-enabled/default
(0)   Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: User authenticated successfully
(0)     [pap] = ok
(0)   } # Auth-Type PAP = ok
(0) # Executing section post-auth from file .../freeradius-server-3.0.17/raddb/sites-enabled/default
(0)   post-auth {
(0)     policy do_not_respond {
(0)       update control {
(0)         &Response-Packet-Type := Do-Not-Respond
(0)       } # update control = noop
(0)       [handled] = handled
(0)     } # policy do_not_respond = handled
(0)   } # post-auth = handled
(0) Sent Access-Accept Id 73 from 127.0.0.1:1812 to 127.0.0.1:59268 length 0
(0)   Reply-Message = "Hello, bob"
(0) Finished request

My ultimate goal is to do this conditionally from rlm_perl, such as
described here:
http://lists.freeradius.org/pipermail/freeradius-users/2015-September/079600.html
but when I try that, I see the same results as above, which is how I
came up with this minimal test case.

Thanks,
Geoffrey.

More information about the Freeradius-Users mailing list