Problem with distributed proxy nodes - how do I pass back "unavailable" when upstream is down temporarily?

[Andrew O'Brien]

Hi all,

I'm fairly new to using radius for authentication so please excuse any
incorrect terminology. I'll give a brief overview of what I've got and
then describe where I want to go but don't know how :)

Setup
=====
I'm using freeradius 1.1.0 on a mixture of debian woody and sarge boxes.
There is a central radius server which holds all user auth and
optionally proxies some realms to LDAP etc - works like a charm.

I've also got a number of remote dumb proxy freeradius nodes running at
the other end of volatile links, say modem dialup, that connect back to
the central area for monitoring purposes. They are configured to proxy
NULL realms and DEFAULT back to the central server. Auth requests come
from cisco switches etc on the local LAN for each node. Again - works a
treat. A star radius network if you like.

The problem comes when the link between the remote node and central
server drops for a while. Local requests come in, the node tries to
contact central node, can't connect, temporarily marks the central
server as dead but then gives back an "unauthorised" message. This means
that the devices on the local node LAN never fail over to local auth and
we're effectively locked out of those devices :)

Question
========
So, how can I pass back a different radius message that causes the local
LAN devices to fall over to local auth instead of radius in the case
where the upstream is dead?


Alternatively, I could have a single account on the node itself with a
particular realm that doesn't get proxied but the intent of this setup
is to only allow device-specific local accounts to be used when the
radius is completely down.

How would you do this? Perhaps a completely different approach rather
than dump proxying is necessary?

Any feedback at all would be appreciated. Thanks!


-- 
Andrew O'Brien