response sent after do_not_respond called

Alan DeKok aland at deployingradius.com
Thu Apr 26 04:46:23 CEST 2018


On Apr 25, 2018, at 10:09 PM, Geoffrey D. Bennett <g at netcraft.com.au> wrote:
> My use case for this is that I have a database lookup in the post-auth
> section, and if the database connection fails I need to return no
> response so that the NAS will send its request to the other RADIUS
> server which has the backup database.

  That's useful, I must admin.

> Is there another way to do this from the post-auth section?

  Not really.  We would have to change the source code.

> I can't
> move these checks into the authorise section as they have to run after
> authentication. What do you think about adding support for this?

  You can just list the rules in the "authenticate" section.  e.g.

authenticate {
	Auth-Type PAP {  	# or whatever you use...
		pap			# will reject on failure
		do_database_stuff
	}
	...
}

> Could you point me in the appropriate direction to implement this if
> you'd accept such a patch?

  src/main/process.c.  Look for "Not responding to request".  And try to figure it out. :(

  Honestly, just move the database checks to the "authenticate" section, inside of whatever Auth-Type subsection is running.

  If you're using SQL, and you need to log to SQL, just do:

authenticate {
	Auth-Type PAP {  	# or whatever you use...
		pap			# will reject on failure
		sql.post_auth
	}
	...
}


  Which will run the "post-auth" rules for SQL, but during the "authenticate" phase.

  Alan DeKok.




More information about the Freeradius-Users mailing list