Discard / no Log

Nathan Ward lists+freeradius at daork.net
Mon Apr 4 07:42:00 UTC 2022 

Be careful doing this - as NASes may assume the RADIUS server has failed.

There may be a solution to your problem where you let the CPE connect, but add filters to block traffic / put them in to a VRF which doesn’t let them do anything.

> On 4/04/2022, at 7:36 PM, Nick Porter <nick at portercomputing.co.uk> wrote:
> 
> Hi Nicolas
> 
> Instead of "return", you can use the policy "do_not_respond" which instructs FreeRADIUS not to respond to the request.
> 
> This sets &reply:Packet-Type to Do-Not-Respond - which if you find things are still being logged, you can test for to avoid the logging.
> 
> Nick
> 
> On 04/04/2022 07:39, Nicolas Breuer wrote:
>> Hello,
>> 
>> We are flooded by a wrong CPE configuration. Is there a way if the realm is not configured in proxy.conf to discard the packet silently and discard the log in the radius.log ? I tried to return if “noop” but logging is still there 😊 Disable the logging for auth_reject is not an option 😊
>> 
>> 
>> authorize {
>> 
>>         #  The preprocess module takes care of sanitizing some bizarre
>>         #  attributes in the request, and turning them into attributes
>>         #  which are more standard.
>>         #
>>         #  It takes care of processing the 'raddb/mods-config/preprocess/hints'
>>         #  and the 'raddb/mods-config/preprocess/huntgroups' files.
>>         preprocess
>> 
>>         #
>>         #  The chap module will set 'Auth-Type := CHAP' if we are
>>         #  handling a CHAP request and Auth-Type has not already been set
>>         chap
>> 
>>         #
>>         #  If the users are logging in with an MS-CHAP-Challenge
>>         #  attribute for authentication, the mschap module will find
>>         #  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
>>         #  to the request, which will cause the server to then use
>>         #  the mschap module for authentication.
>>         mschap
>> 
>>         #
>>         # Look for realms in user at domain format
>>         suffix
>> 
>>                 if (noop){
>>                 return
>>                 }
>> …….
>> 
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> -- 
> Nick Porter
> 
> Porter Computing Ltd
> Registered in England No 12659380
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list