leopold wrote:
OK thanks Alan. I moved sql module call from "authorize" to "post-auth", this improves performance, but the behavior is different.
List "sql.authorize" in the post-auth section. Not "sql".
Inside policy.conf we have "do_not_respond" policy and if SQL server is down we need to force server not to respond in "post-auth"
The code currently sets the response packet type (accept / reject), and THEN calls the post-auth methods.
Is there any limit where do_not_respond can be used?
Yes. It cannot be used in the post-auth section. It sounds like your requirements are somewhat contradictory. You DON'T want it to query SQL for the EAP-TLS traffic, but you DO want it to ignore EAP-TLS if the SQL database is down. If the SQL database is down, and you don't want the server to respond, then just bring the server down. Write a simple shell script to poke the SQL server, and to re-start FreeRADIUS once the SQL server comes back up. Alan DeKok.