<div dir="ltr"><div><div><div><div><div><div><div>Hi, <br><br></div>I have an interesting scenario where a broadband user has "Auth-Type=Reject" configured as an attribute in the back-end database of FreeRADIUS, and this sppears to be working, as radtest and radclient confirm (the Access-Reject packet is received):<br>
<br>[root@radius-one radius]# echo "User-Name=mmelbourne@realm,Password=mypassword,Framed-Protocol=PPP" | radclient -x -s 127.0.0.1 auth radius_secret<br>Sending Access-Request of id 45 to 127.0.0.1 port 1812<br>
User-Name = "mmelbourne@realm"<br> Password = "mypassword"<br> Framed-Protocol = PPP<br>rad_recv: Access-Reject packet from host <a href="http://127.0.0.1:1812">127.0.0.1:1812</a>, id=45, length=73<br>
Reply-Message = "Your account has been disabled, please call support"<br><br> Total approved auths: 0<br> Total denied auths: 1<br> Total lost auths: 0<br><br></div>
However, on the NAS (LNS), a radius debug shows that the authentication succeeds with an Access-Accept, even though the "account disabled" Reply-Message is received:<br><br>May 23 14:12:28.076: RADIUS(00011A84): Send Access-Request to 213.x.x.x:1812 id 21793/12, len 107<br>
May 23 14:12:28.076: RADIUS: authenticator 70 A9 8C A5 A8 79 A8 61 - 4D F6 99 37 F7 63 FE A5<br>May 23 14:12:28.076: RADIUS: Framed-Protocol [7] 6 PPP [1]<br>May 23 14:12:28.076: RADIUS: User-Name [1] 21 "mmelbourne@realm"<br>
May 23 14:12:28.076: RADIUS: CHAP-Password [3] 19 *<br>May 23 14:12:28.076: RADIUS: NAS-Port-Type [61] 6 Virtual [5]<br>May 23 14:12:28.076: RADIUS: NAS-Port [5] 6 826<br>
May 23 14:12:28.076: RADIUS: NAS-Port-Id [87] 17 "Uniq-Sess-ID826"<br>May 23 14:12:28.076: RADIUS: Service-Type [6] 6 Framed [2]<br>May 23 14:12:28.076: RADIUS: NAS-IP-Address [4] 6 88.x.x.x<br>
May 23 14:12:28.084: RADIUS: Received from id 21793/12 213.x.x.x:1812, Access-Accept, len 157<br>May 23 14:12:28.084: RADIUS: authenticator 79 6C DA EB 1A CC AD CA - BB E3 C9 CE D1 C3 AC 47<br>May 23 14:12:28.084: RADIUS: Reply-Message [18] 53<br>
May 23 14:12:28.084: RADIUS: 59 6F 75 72 20 61 63 63 6F 75 6E 74 20 68 61 73 [Your account has]<br>May 23 14:12:28.084: RADIUS: 20 62 65 65 6E 20 64 69 73 61 62 6C 65 64 2C 20 [ been disabled, ]<br>May 23 14:12:28.084: RADIUS: 70 6C 65 61 73 65 20 63 61 6C 6C 20 73 75 70 70 [please call supp]<br>
May 23 14:12:28.084: RADIUS: 6F 72 74 [ ort]<br>May 23 14:12:28.084: RADIUS: Framed-IP-Address [8] 6 77.x.x.x<br>May 23 14:12:28.084: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.255<br>May 23 14:12:28.084: RADIUS: Framed-Protocol [7] 6 PPP [1]<br>
May 23 14:12:28.084: RADIUS: Service-Type [6] 6 Framed [2]<br>May 23 14:12:28.084: RADIUS: Vendor, Cisco [26] 54<br>May 23 14:12:28.084: RADIUS: Cisco AVpair [1] 48 "ip:dns-servers=213.x.x.x 213.x.x.x"<br>
May 23 14:12:28.084: RADIUS: Idle-Timeout [28] 6 28800<br><br></div><br></div>The only difference I can see is that the first example uses a plain-text password, and the RADIUS on the LNS is using CHAP? <br><br>
The backend database has "=" in the 'op' field (and not ":="), so the returned attribute is "Auth-Type = Reject" and not "Auth-Type := Reject", but it is correctly rejected using radtest/radclient.<br>
<br></div>Has anyone seen anything similar; the NAS is a 7026VXR running 12.2(31)SB2 and the backend is FreeRADIUS 1.1?<br><br></div>Cheers,<br></div>Matt<br clear="all"><div><div><div><div><div><div><div><div><div><br>-- <br>
Matthew Melbourne
</div></div></div></div></div></div></div></div></div></div>