Hi guys I am trying to do something that seems a bit odd as I can't find it in any searches. Perhaps someone else here has done this before. I have FreeRadius successfully connected and working, serving authentication requests from a Mysql DB. It's running on a pfSense firewall and configured via the GUI but I doubt that makes any difference. I'm authenticating users connecting via a secure network to reach services and would like to change the authentication logic. If the MySQL server is down (yes I know it shouldn't be or I should have redundant servers) I would like the Radius server to always return an Access-Accept. I know this seems counter-intuitive for an authentication service but as I said it's via a secure network allowing users supplementary services that are better to give for free for a limited time than not to give at all in case of a backend outage. My thoughts on doing this were trying to authenticate via SQL first and then falling back to "users" file authentication with a RegExp or DEFAULT user to match a user pattern all users. Is this a good way to do it? From what I've seen, FreeRadius tries to use the users file before trying SQL by default but I changed the sites-enabled/default ordering and that seems to work for (notfound || noop) but not for ( fail ). If I use SQL and then (notfound || noop) then "file" and the user exists in the "users" file it works. DEFAULT user works as well for any user. Where I'm going wrong, I think is that in the sites-enabled/default it accepts the "fail" as a module response code but doesn't act on it when the sql1 fails. I've attached the debug log. redundant sql { sql1 } if ( fail ) { files if (notfound || noop) { reject } } } Thanks in advance! \\Clay