On Wed, Sep 9, 2015 at 10:28 AM, Sander Eerdekens < sander.eerdekens@uzleuven.be> wrote:
I'm using FreeRADIUS Version 2.2.8 and am wondering whether it is possible to ignore a request (i.e. send no reply at all) inside a rlm_perl module.
Let me explain why I believe dropping packets is a valid use case.
I'm implementing OTPs using SMS. I currently have two servers at two separate locations. Some of my RADIUS clients directly send an access request to both servers, instead of considering the primary server first and when no reply is received, considering the second. Because the servers don't synchronize state, in this particular case, the client would receive two SMS messages containing different OTPs.
Therefore, I would like the secondary server to ignore the access request by dropping the access request.
We use dropping packets for another scenario. We use FreeRADIUS for aaa for cisco switches (logging into SSH on them) instead of TacACS. The radius server authenticates against an LDAP server.
Howerver, if LDAP is down, we still want to be able to login to the switches with a predefined admin password. The way cisco implemented this is, "if the radius server does not respond, us the local password". Thus, if the ldap module fails (not rejects), we want to ignore the packet instead of sending an access-reject.
To achieve a "drop packet" you could use this configuration: Return RLM_MODULE_FAIL inside perl, And use this configuration inside the sites-enabled:
redundant { perl do_not_respond }
You can find do_not_respond in the policy.conf file. do_not_respond { update control { Response-Packet-Type := Do-Not-Respond }
handled }
However, you cannot do it directly from your perl module, you have to have some config in your sites-enabled to check and discard the packet.
Kind regards Sander Eerdekens
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Sander! This put me on the right track. As a matter of fact, you can specify the response packet type directly in rlm_perl, by doing: $RAD_CHECK{'Response-Packet-Type'} = 'Do-Not-Respond'; return RLM_MODULE_HANDLED; This way, no configuration change is needed in the site configuration. -- Harm