[cisco-bba] RADIUS Auth-Type=Reject but user passing authentication on LNS?

Matthew Melbourne matt at melbourne.org.uk
Thu May 23 12:26:06 EDT 2013 

Hi,

I have an interesting scenario where a broadband user has
"Auth-Type=Reject" configured as an attribute in the back-end database of
FreeRADIUS, and this sppears to be working, as radtest and radclient
confirm (the Access-Reject packet is received):

[root at radius-one radius]# echo
"User-Name=mmelbourne at realm,Password=mypassword,Framed-Protocol=PPP"
| radclient -x -s 127.0.0.1 auth radius_secret
Sending Access-Request of id 45 to 127.0.0.1 port 1812
        User-Name = "mmelbourne at realm"
        Password = "mypassword"
        Framed-Protocol = PPP
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=45, length=73
        Reply-Message = "Your account has been disabled, please call
support"

           Total approved auths:  0
             Total denied auths:  1
               Total lost auths:  0

However, on the NAS (LNS), a radius debug shows that the authentication
succeeds with an Access-Accept, even though the "account disabled"
Reply-Message is received:

May 23 14:12:28.076: RADIUS(00011A84): Send Access-Request to
213.x.x.x:1812 id 21793/12, len 107
May 23 14:12:28.076: RADIUS:  authenticator 70 A9 8C A5 A8 79 A8 61 - 4D F6
99 37 F7 63 FE A5
May 23 14:12:28.076: RADIUS:  Framed-Protocol     [7]   6
PPP                       [1]
May 23 14:12:28.076: RADIUS:  User-Name           [1]   21
"mmelbourne at realm"
May 23 14:12:28.076: RADIUS:  CHAP-Password       [3]   19  *
May 23 14:12:28.076: RADIUS:  NAS-Port-Type       [61]  6
Virtual                   [5]
May 23 14:12:28.076: RADIUS:  NAS-Port            [5]   6   826
May 23 14:12:28.076: RADIUS:  NAS-Port-Id         [87]  17
"Uniq-Sess-ID826"
May 23 14:12:28.076: RADIUS:  Service-Type        [6]   6
Framed                    [2]
May 23 14:12:28.076: RADIUS:  NAS-IP-Address      [4]   6   88.x.x.x
May 23 14:12:28.084: RADIUS: Received from id 21793/12 213.x.x.x:1812,
Access-Accept, len 157
May 23 14:12:28.084: RADIUS:  authenticator 79 6C DA EB 1A CC AD CA - BB E3
C9 CE D1 C3 AC 47
May 23 14:12:28.084: RADIUS:  Reply-Message       [18]  53
May 23 14:12:28.084: RADIUS:   59 6F 75 72 20 61 63 63 6F 75 6E 74 20 68 61
73  [Your account has]
May 23 14:12:28.084: RADIUS:   20 62 65 65 6E 20 64 69 73 61 62 6C 65 64 2C
20  [ been disabled, ]
May 23 14:12:28.084: RADIUS:   70 6C 65 61 73 65 20 63 61 6C 6C 20 73 75 70
70  [please call supp]
May 23 14:12:28.084: RADIUS:   6F 72 74               [ ort]
May 23 14:12:28.084: RADIUS:  Framed-IP-Address   [8]   6   77.x.x.x
May 23 14:12:28.084: RADIUS:  Framed-IP-Netmask   [9]   6   255.255.255.255
May 23 14:12:28.084: RADIUS:  Framed-Protocol     [7]   6
PPP                       [1]
May 23 14:12:28.084: RADIUS:  Service-Type        [6]   6
Framed                    [2]
May 23 14:12:28.084: RADIUS:  Vendor, Cisco       [26]  54
May 23 14:12:28.084: RADIUS:   Cisco AVpair       [1]   48
"ip:dns-servers=213.x.x.x 213.x.x.x"
May 23 14:12:28.084: RADIUS:  Idle-Timeout        [28]  6   28800


The only difference I can see is that the first example uses a plain-text
password, and the RADIUS on the LNS is using CHAP?

The backend database has "=" in the 'op' field (and not ":="), so the
returned attribute is "Auth-Type = Reject" and not "Auth-Type := Reject",
but it is correctly rejected using radtest/radclient.

Has anyone seen anything similar; the NAS is a 7026VXR running 12.2(31)SB2
and the backend is FreeRADIUS 1.1?

Cheers,
Matt

-- 
Matthew Melbourne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-bba/attachments/20130523/89d9caba/attachment.html>

More information about the cisco-bba mailing list