Jethro Carr wrote:
The problem is, the NAS authenticating the users against FreeRadius considered the default authentication response (reject) to be a sign that FreeRadius on the server was OK and didn't fail over to the secondary server.
I was expecting it to return unreachable or just time out, instead of running the default auth behavior, but maybe I've missed a configuration option or have incorrect assumptions.
That's the way that the server works. It's still up, and *another* module might authenticate the user. If you want the server to not respond, see the "do_not_respond" entry in policy.conf.
Aside from "make sure your LDAP server doesn't die", ;-) can anyone make any recommendations around the best approach to take, so that in event of an LDAP outage on one host, FreeRadius returns a result (or nothing at all) that causes the NAS to fail over to the secondary host?
authorize { ... redundant { ldap do_not_respond } ... } That should work. Alan DeKok.