On Apr 25, 2018, at 10:09 PM, Geoffrey D. Bennett <g@netcraft.com.au> wrote:
My use case for this is that I have a database lookup in the post-auth section, and if the database connection fails I need to return no response so that the NAS will send its request to the other RADIUS server which has the backup database.
That's useful, I must admin.
Is there another way to do this from the post-auth section?
Not really. We would have to change the source code.
I can't move these checks into the authorise section as they have to run after authentication. What do you think about adding support for this?
You can just list the rules in the "authenticate" section. e.g. authenticate { Auth-Type PAP { # or whatever you use... pap # will reject on failure do_database_stuff } ... }
Could you point me in the appropriate direction to implement this if you'd accept such a patch?
src/main/process.c. Look for "Not responding to request". And try to figure it out. :( Honestly, just move the database checks to the "authenticate" section, inside of whatever Auth-Type subsection is running. If you're using SQL, and you need to log to SQL, just do: authenticate { Auth-Type PAP { # or whatever you use... pap # will reject on failure sql.post_auth } ... } Which will run the "post-auth" rules for SQL, but during the "authenticate" phase. Alan DeKok.