[OpenSIPS-Devel] Misplaced radius error problem

Bogdan-Andrei Iancu bogdan at voice-system.ro
Wed Feb 10 16:28:40 CET 2010


Hi Michael,

I was following your arguments and I agree on REJECT_RC case, but why 
TIMEOUT_RC is not an error ? I guess is about the timeout on client 
side, waiting for a reply from radius server, right ?

Regards,
Bogdan

Michael Schloh von Bennewitz wrote:
> Hello list,
>
> On Tues, Dec 22, 2009, Michael Schloh von Bennewitz wrote:
>   
>> In revision 6377 rad.c from aaa_radius got changed for the better,
>> but introduced a new bug as well. The block of code in question
>> returns LM_ERR when the call to rc_auth(3) returns anything but
>> OK_RC. As you see from radiusclient-ng.h, other values exist:
>>
>>  /* 	Define return codes from "SendServer" utility */
>>  #define BADRESP_RC	-2
>>  #define ERROR_RC	-1
>>  #define OK_RC		0
>>  #define TIMEOUT_RC	1
>>  #define REJECT_RC	2
>>
>> The only return values leading to failure (and thus validating
>> the LM_ERR choice) are negative. So here's the correction:
>>
>> Index: modules/aaa_radius/rad.c
>> diff -Nau modules/aaa_radius/rad.c.orig modules/aaa_radius/rad.c
>> --- modules/aaa_radius/rad.c.orig	2009-12-10 19:57:33.000000000 +0100
>> +++ modules/aaa_radius/rad.c	2009-12-22 13:28:05.852461686 +0100
>> @@ -273,9 +273,14 @@
>> 				return -1;
>> 			}
>> 		}
>> -
>> -		LM_ERR("rc_auth function failed\n");
>> -		return -1;
>> +		else if (result == TIMEOUT_RC || result == REJECT_RC) {
>> +			LM_DBG("rc_auth function succeeded with result %d\n", result);
>> +			return result;
>> +		}
>> +		else /* if (result == ERROR_RC || result == BADRESP_RC) */ {
>> +			LM_ERR("rc_auth function failed with result %d\n", result);
>> +			return -1;
>> +		}
>> 	}
>>
>> 	if (request->type == AAA_ACCT) {
>>
>> What it does is correct the false negative condition in which a
>> properly functioning OpenSIPS 1.6.1 reports radius errors in the
>> log. Without the correction, every call to aaa_is_user_in() for users
>> which do not belong to the group in question produces an error in
>> the OpenSIPS log. Try it:
>>
>>    route {                                  # produces an error
>>        aaa_is_user_in("From", "suspened");  # for all users not
>>    }                                        # in group 'suspended'
>>
>> I'm assuming that the 'REJECT' returned from a radius server for
>> such calls is correct, although I'm not a radius expert.
>>
>>     
> Was this patch rejected? I see that no correction has been made
> to the flawed logic in rad.c.
>
> Regards,
> Michael
>
>   


-- 
Bogdan-Andrei Iancu
www.voice-system.ro




More information about the Devel mailing list