freeradius-client | multiple authservers and REJECT_RC
Hello, configuring multiple authserver in freeradius client the client retries to authenticate a user to all authservers configured although REJECT_RC is returned. This means an unauthenticated user (wrong password, no access rights) gets retried on all other authservers: line 117-119 (buildreq.c): for (i=0; (i < aaaserver->max) && (result != OK_RC) && (result != BADRESP_RC) ; i++, now = rc_getctime()) { This means that only if the result is OK (login succeeded) or the result is bogus (BADRESP_RC) the login is not retried. Is this the expected behaviour? I'd expect a failover to the other authservers on return codes other than OK_RC or REJECT_RC - as those are the only real radius replies. Could someone please also shed some light on the question: Will radius_deadtime work for other requests than PW_ACCOUNTING_REQUEST, as start_time gets initialized only if request_type is PW_ACCOUNTING_REQUEST? I don't seem to get the meaning of the code here... Rgds, Stefan
Hello Alan, hello list, any thoughts about OK_RC/REJECT_RC for failover authservers? It would be an easy fix - I just wanted to know if you share my opinion about when to failover to the next authserver... Rgds, Stefan On Fri, Apr 9, 2010 at 9:39 PM, Stefan Karss <stefan.karss@googlemail.com>wrote:
Hello,
configuring multiple authserver in freeradius client the client retries to authenticate a user to all authservers configured although REJECT_RC is returned. This means an unauthenticated user (wrong password, no access rights) gets retried on all other authservers:
line 117-119 (buildreq.c):
for (i=0; (i < aaaserver->max) && (result != OK_RC) && (result != BADRESP_RC) ; i++, now = rc_getctime()) {
This means that only if the result is OK (login succeeded) or the result is bogus (BADRESP_RC) the login is not retried. Is this the expected behaviour?
I'd expect a failover to the other authservers on return codes other than OK_RC or REJECT_RC - as those are the only real radius replies.
Could someone please also shed some light on the question: Will radius_deadtime work for other requests than PW_ACCOUNTING_REQUEST, as start_time gets initialized only if request_type is PW_ACCOUNTING_REQUEST? I don't seem to get the meaning of the code here...
Rgds, Stefan
Stefan Karss wrote:
any thoughts about OK_RC/REJECT_RC for failover authservers? It would be an easy fix - I just wanted to know if you share my opinion about when to failover to the next authserver...
Yes. It shouldn't do fail-over when it receives a reject. Please send a patch, and we'll incorporate that into the next release. Alan DeKok.
Hello Alan,
Please send a patch, and we'll incorporate that into the next release.
I attached a patch that just replaces BADRESP_RC with REJECT_RC. I think this is the right way to do it - in case of a BADRESP (reply packet not parsable) I'd retry on another server. Rgds, Stefan
participants (2)
-
Alan DeKok -
Stefan Karss