Want to silently discard the request if authentication module as web?service client connecting to the web service server is down.

Ankur G ankur.g at globallogic.com
Wed Aug 10 08:05:50 CEST 2011 

Alexander,

We have a little different scenario. We have two different instances of web
server connecting to two different Radius server such that if one of the
radius server not able to connect the webserver, radius client can fail over to
another radius server which has a different web-server connecting. Find
below is the scenario:

  /--W1--\  --  /--- R1 ---\
                                     --- C
  /--W2--\  --  /--- R2 ---\

--Ankur

On Tue, Aug 9, 2011 at 11:54 PM, Alexander Clouter <alex at digriz.org.uk>wrote:

> Ankur G <ankur.g at globallogic.com> wrote:
> >
> > But If the exposed web-service is down, Radius server simply reject the
> > authentication request with the response message as "Access_Rejected".
> >
> > We want Radius server instead of rejecting, simply discard the
> > authentication request which will allow the RADIUS *client* to failover
> to
> > another RADIUS server.
> >
> ...surely the other RADIUS server the client has listed will also be
> unable to process the request as the web service is down?
>
> If you have multiple web-service instances about, then your
> perl/python/exec code should failover to using other instances.
>
> I find it hard how this situation would help you in practise (W -> web,
> R -> RADIUS server, C -> RADIUS client) as surely if R1 is unable to
> talk to W, having C failover to R2 is not going to help?
>
>      /--- R1 ---\
>  W ---            --- C
>      \--- R2 ---/
>
> If you have W1 and W2, then R1 and R2 should be able to talk to both.
>
> > So while going through the FreeRadius configuration i came across the
> section
> > in sites-avaliable/default file under "post-auth" section which state
> that
> > "Access-Reject packets are sent through the REJECT sub-section of the
> > post-auth section." and is as follow:
> >
> > Post-Auth-Type REJECT {
> >     # log failed authentications in SQL, too.
> >     #sql
> >    attr_filter.access_reject
> > }
> >
> > If you think this is the right approach, could you please provide me the
> sample
> > code using which if i could check for the rlm status code and could
> silently
> > discard the responses other than the "RLM_MODULE_OK" and
> > "RLM_MODULE_REJECTED.
> >
> http://wiki.freeradius.org/Modules2#Module+Return+Codes
>
> RLM_MODULE_FAIL looks like a better option to use, although it will not
> give you what you want; but it would enable you to use unlang to perform
> other tasks.
>
> Cheers
>
> --
> Alexander Clouter
> .sigmonster says: You fill a much-needed gap.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 

Thanks & Regards,

Ankur Gupta | Consultant-Engineering | GlobalLogic Inc.
*Leaders in Software R&D Services*

ARGENTINA | CHINA | INDIA | ISRAEL | UKRAINE | UK | USA
Office:  +91-120-406-2000 x <2486> | Mobile +91-981-061-4704

*Fax: +91-120-258-5721   | Blog: blogs.globallogic.com*

www.globallogic.com
Follow us on Twitter <http://twitter.com/GlobalLogicInc>!



*Disclaimer: http://www.globallogic.com/email_disclaimer.txt*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110810/8ce7cd53/attachment.html>

More information about the Freeradius-Users mailing list