freeradius-server icon indicating copy to clipboard operation
freeradius-server copied to clipboard

Published 20 hours ago verified publisher icon FreeRADIUS

radclient reports success where the filter is empty except for Response-Packet-Type, even if the response packet from FreeRADIUS contains attributes

Open arr2036 opened this issue 6 years ago • 1 comments

Issue type

.

  • Defect - Unexpected behaviour (obvious or verified by project member).

Defect

How to reproduce the issue

Create a radclient filter containing only Response-Packet-Type == Access-Accept.

Pass it to radclient with -f <input_file>:<filter_file>.

Configure FreeRADIUS to include a Reply-Message attribute in its response.

Observe how the response packet passes the filter even though there's no line accounting for the Reply-Message.

This could just be a documentation issue, and we could allow all attributes by default, and only perform matching on the ones specified.

Unsure whether this is truly in v4.0.x. It was originally observed in v3.0.x HEAD

arr2036 avatar Oct 30 '19 22:10 arr2036

It's likely that the filter is matching things, and there's no default saying "anything which isn't in the filter is not a match"

I think it works that way by intention, even if it is surprising here. i.e. filtering packets in radsniff, even when the packets contain other attributes which aren't in the filter.

alandekok avatar Oct 31 '19 14:10 alandekok