Dropping requests when no authentication possible

Chris Phillips chris at untrepid.com
Thu Mar 12 19:51:54 CET 2009


On Thu, Mar 12, 2009 at 4:33 PM, <tnt at kalik.net> wrote:

> >I've set up a 2.1.4 server, and working pretty well with authentication
> >against LDAP alone. What I've noticed though is that if the LDAP server is
> >down on the same box then the LDAP module, rightfully, fails. However
> whilst
> >this leaves the service unable to authenticate the user, it still replies
> >back with a REJECT packet to the client. As such the client switch /
> router
> >whatever, doesn't try the next server in it's config, as it's had a valid
> >RADIUS response.
> >
> >Is there any way to force a logic whereby if the ldap module fails, it
> would
> >drop the RADIUS request on the floor, to make it look like a service
> failure
> >to the client?
>
> Read the list. There is another thread about the same "problem". Only
> about unreachable sql servers.
>
> Ivan Kalik
> Kalik Informatika ISP


Quite a coincidence, I was looking at the weekend and could find nothing.

I'll try having a go at the example in the sql thread:

authorize {
        ...
        redundant_sql
        if (fail) {
                update control {
                        # Do-Not-Respond
                        Response-Packet-Type = 256
                }
                reject
        }
        elsif (notfound) {
                reject
        }
}

And respond back one way or another.

Thanks

Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090312/c5f3a755/attachment.html>


More information about the Freeradius-Users mailing list