suppress Protocol-Error responses when the client doesn't support it

and print out a descriptive message as to why the Protocol-Error
packet was suppressed

but for Access-Request, swap the answer to Access-Reject.
RFC8559 already says that failed CoA can send a NAK with Error-Cause

diff --git a/src/listen/radius/proto_radius.c b/src/listen/radius/proto_radius.c
index 19cf71dcd01614cd09115680471e3b918c09b016..bc96532161316154fa283bdcba64d5affecadf49 100644 (file)
--- a/src/listen/radius/proto_radius.c
+++ b/src/listen/radius/proto_radius.c
@@ -457,6 +457,29 @@ static ssize_t mod_encode(UNUSED void const *instance, request_t *request, uint8
        client = address->radclient;
        fr_assert(client);
 
+       /*
+        *      The policy may ask us to send a Protocol-Error, but the client does not support it.  So we
+        *      suppress the response.
+        */
+       if ((request->reply->code == FR_RADIUS_CODE_PROTOCOL_ERROR) && !client->protocol_error) {
+               if (request->packet->code != FR_RADIUS_CODE_ACCESS_REQUEST) {
+                       RDEBUG("Client %s does not support Protocol-Error. Suppressing response",
+                              client->shortname);
+                       track->do_not_respond = true;
+                       return 1;
+               }
+
+               /*
+                *      If the client doesn't support Protocol-Error, swap it to Access-Reject.
+                *
+                *      Note that RFC 8559 already says that systems should send CoA-NAK or Disconnect-NAK
+                *      with Error-Cause if the packet can't be routed.
+                */
+               request->reply->code = FR_RADIUS_CODE_ACCESS_REJECT;
+               RDEBUG("Client %s does not support Protocol-Error - rewriting to Access-Reject",
+                      client->shortname);
+       }
+
        /*
         *      Dynamic client stuff
         */