[OpenSIPS-Devel] Misplaced radius error problem
Bogdan-Andrei Iancu
bogdan at voice-system.ro
Wed Feb 10 16:28:40 CET 2010
Hi Michael,
I was following your arguments and I agree on REJECT_RC case, but why
TIMEOUT_RC is not an error ? I guess is about the timeout on client
side, waiting for a reply from radius server, right ?
Regards,
Bogdan
Michael Schloh von Bennewitz wrote:
> Hello list,
>
> On Tues, Dec 22, 2009, Michael Schloh von Bennewitz wrote:
>
>> In revision 6377 rad.c from aaa_radius got changed for the better,
>> but introduced a new bug as well. The block of code in question
>> returns LM_ERR when the call to rc_auth(3) returns anything but
>> OK_RC. As you see from radiusclient-ng.h, other values exist:
>>
>> /* Define return codes from "SendServer" utility */
>> #define BADRESP_RC -2
>> #define ERROR_RC -1
>> #define OK_RC 0
>> #define TIMEOUT_RC 1
>> #define REJECT_RC 2
>>
>> The only return values leading to failure (and thus validating
>> the LM_ERR choice) are negative. So here's the correction:
>>
>> Index: modules/aaa_radius/rad.c
>> diff -Nau modules/aaa_radius/rad.c.orig modules/aaa_radius/rad.c
>> --- modules/aaa_radius/rad.c.orig 2009-12-10 19:57:33.000000000 +0100
>> +++ modules/aaa_radius/rad.c 2009-12-22 13:28:05.852461686 +0100
>> @@ -273,9 +273,14 @@
>> return -1;
>> }
>> }
>> -
>> - LM_ERR("rc_auth function failed\n");
>> - return -1;
>> + else if (result == TIMEOUT_RC || result == REJECT_RC) {
>> + LM_DBG("rc_auth function succeeded with result %d\n", result);
>> + return result;
>> + }
>> + else /* if (result == ERROR_RC || result == BADRESP_RC) */ {
>> + LM_ERR("rc_auth function failed with result %d\n", result);
>> + return -1;
>> + }
>> }
>>
>> if (request->type == AAA_ACCT) {
>>
>> What it does is correct the false negative condition in which a
>> properly functioning OpenSIPS 1.6.1 reports radius errors in the
>> log. Without the correction, every call to aaa_is_user_in() for users
>> which do not belong to the group in question produces an error in
>> the OpenSIPS log. Try it:
>>
>> route { # produces an error
>> aaa_is_user_in("From", "suspened"); # for all users not
>> } # in group 'suspended'
>>
>> I'm assuming that the 'REJECT' returned from a radius server for
>> such calls is correct, although I'm not a radius expert.
>>
>>
> Was this patch rejected? I see that no correction has been made
> to the flawed logic in rad.c.
>
> Regards,
> Michael
>
>
--
Bogdan-Andrei Iancu
www.voice-system.ro
More information about the Devel
mailing list