Ankur G <ankur.g@globallogic.com> wrote:
But If the exposed web-service is down, Radius server simply reject the authentication request with the response message as "Access_Rejected".
We want Radius server instead of rejecting, simply discard the authentication request which will allow the RADIUS *client* to failover to another RADIUS server.
...surely the other RADIUS server the client has listed will also be unable to process the request as the web service is down? If you have multiple web-service instances about, then your perl/python/exec code should failover to using other instances. I find it hard how this situation would help you in practise (W -> web, R -> RADIUS server, C -> RADIUS client) as surely if R1 is unable to talk to W, having C failover to R2 is not going to help? /--- R1 ---\ W --- --- C \--- R2 ---/ If you have W1 and W2, then R1 and R2 should be able to talk to both.
So while going through the FreeRadius configuration i came across the section in sites-avaliable/default file under "post-auth" section which state that "Access-Reject packets are sent through the REJECT sub-section of the post-auth section." and is as follow:
Post-Auth-Type REJECT { # log failed authentications in SQL, too. #sql attr_filter.access_reject }
If you think this is the right approach, could you please provide me the sample code using which if i could check for the rlm status code and could silently discard the responses other than the "RLM_MODULE_OK" and "RLM_MODULE_REJECTED.
http://wiki.freeradius.org/Modules2#Module+Return+Codes RLM_MODULE_FAIL looks like a better option to use, although it will not give you what you want; but it would enable you to use unlang to perform other tasks. Cheers -- Alexander Clouter .sigmonster says: You fill a much-needed gap.