Dropping requests when no authentication possible

Chris Phillips chris at untrepid.com
Thu Mar 12 16:02:10 CET 2009


Hi,

I've set up a 2.1.4 server, and working pretty well with authentication
against LDAP alone. What I've noticed though is that if the LDAP server is
down on the same box then the LDAP module, rightfully, fails. However whilst
this leaves the service unable to authenticate the user, it still replies
back with a REJECT packet to the client. As such the client switch / router
whatever, doesn't try the next server in it's config, as it's had a valid
RADIUS response.

Is there any way to force a logic whereby if the ldap module fails, it would
drop the RADIUS request on the floor, to make it look like a service failure
to the client? Kinda wrecks our resiliency model if not! We're only using a
single ldap server per box, but even if we were using other ldap servers on
other servers, there still is a logic whereby it may be impossible to reach
any LDAP server whilst another FreeRADIUS box can reach one, but is of a
lower order of preference so can't be used.

Thanks

Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090312/0f6c2881/attachment.html>


More information about the Freeradius-Users mailing list