Dropping requests when no authentication possible

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Thu Mar 12 18:07:08 CET 2009


Hi,

> Is there any way to force a logic whereby if the ldap module fails, it would
> drop the RADIUS request on the floor, to make it look like a service failure
> to the client? Kinda wrecks our resiliency model if not! We're only using a
> single ldap server per box, but even if we were using other ldap servers on
> other servers, there still is a logic whereby it may be impossible to reach
> any LDAP server whilst another FreeRADIUS box can reach one, but is of a
> lower order of preference so can't be used.

seems to be a current popular feature. if you read the mialing list archive
this veyr minth theres a similar case for doing pretty much the same with SQL
(insteda of your ldap).  you could, perhaps not need to do this if you let
each RADIUS server also talk to each LDAP. you can then configure LDAP
as a failover/redundant system (see the guides/docs for doing redundant 
LDAP).  so

RADIUS1 - ldap 1, ldap 2, ldap 3
RADIUS2 - ldap 2, ldap 1, ldap 3
RADIUS3 - ldap 3, ldap 2, ldap 1

if they can share their LDAP this would be ideal... however, if not, then
you'll have to use the method mentioned previously on the list - note
the (fail) and return the fail attribute to the NAS rather than reject.
if the NAS is good/proper, it'll try the next RADIUS itself.

alan



More information about the Freeradius-Users mailing list