From: Herwin Weststrate <herwin@quarantainenet.nl>
Date: Wed, 9 Sep 2015 13:12:20 +0000 (+0200)
Subject: Optionally send rejects without a delay
X-Git-Tag: release_3_0_10~131
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7bbd0381601df73cd8141485ae331eed5798f01c;p=thirdparty%2Ffreeradius-server.git

Optionally send rejects without a delay

Currently there is only one global option to set a delay to every Access-Reject packet: reject_delay. There are use cases where you want certain rejects to have no delay, while others should have a delay. An example might be using 802.1X on Cisco LAN Devices: If a client tries MAC authentication an Access-Reject can force it to switch to 802.1X, this is a reject you want to send without any delay. On the other hand, if the client tries 802.1X with a wrong password, you still want the reject to be delayed.

By setting a value to FreeRADIUS-Response-Delay(-USec) in reply, we overwrite the global delay. The maximum supported value is 10, larger values result in a delay of 10 seconds. A value of 0 removes the delay. Not having this attribute in control results in using the global delay. If both FreeRADIUS-Response-Delay and FreeRADIUS-Response-Delay-USec are set, the second one is ignored.
---

diff --git a/src/main/process.c b/src/main/process.c
index 0453725b00e..74e31a85b46 100644
--- a/src/main/process.c
+++ b/src/main/process.c
@@ -1400,6 +1400,27 @@ static void request_finish(REQUEST *request, int action)
 	    (request->root->reject_delay.tv_sec > 0)) {
 		request->response_delay = request->root->reject_delay;
 
+		vp = fr_pair_find_by_num(request->reply->vps, PW_FREERADIUS_RESPONSE_DELAY, 0, TAG_ANY);
+		if (vp) {
+			if (vp->vp_integer <= 10) {
+				request->response_delay.tv_sec = vp->vp_integer;
+			} else {
+				request->response_delay.tv_sec = 10;
+			}
+			request->response_delay.tv_usec = 0;
+		} else {
+			vp = fr_pair_find_by_num(request->reply->vps, PW_FREERADIUS_RESPONSE_DELAY_USEC, 0, TAG_ANY);
+			if (vp) {
+				if (vp->vp_integer <= 10 * USEC) {
+					request->response_delay.tv_sec = vp->vp_integer / USEC;
+					request->response_delay.tv_usec = vp->vp_integer % USEC;
+				} else {
+					request->response_delay.tv_sec = 10;
+					request->response_delay.tv_usec = 0;
+				}
+			}
+		}
+
 #ifdef WITH_PROXY
 		/*
 		 *	If we timed out a proxy packet, don't delay