Want to silently discard the request if authentication module as web?service client connecting to the web service server is down.

Tue Aug 9 20:24:05 CEST 2011

Ankur G <ankur.g at globallogic.com> wrote:
> 
> But If the exposed web-service is down, Radius server simply reject the
> authentication request with the response message as "Access_Rejected".
>
> We want Radius server instead of rejecting, simply discard the
> authentication request which will allow the RADIUS *client* to failover to
> another RADIUS server.
>
...surely the other RADIUS server the client has listed will also be 
unable to process the request as the web service is down?

If you have multiple web-service instances about, then your 
perl/python/exec code should failover to using other instances.

I find it hard how this situation would help you in practise (W -> web, 
R -> RADIUS server, C -> RADIUS client) as surely if R1 is unable to 
talk to W, having C failover to R2 is not going to help?

      /--- R1 ---\
 W ---            --- C
      \--- R2 ---/

If you have W1 and W2, then R1 and R2 should be able to talk to both.

> So while going through the FreeRadius configuration i came across the section
> in sites-avaliable/default file under "post-auth" section which state that
> "Access-Reject packets are sent through the REJECT sub-section of the
> post-auth section." and is as follow:
> 
> Post-Auth-Type REJECT {
>     # log failed authentications in SQL, too.
>     #sql
>    attr_filter.access_reject
> }
> 
> If you think this is the right approach, could you please provide me the sample
> code using which if i could check for the rlm status code and could silently
> discard the responses other than the "RLM_MODULE_OK" and
> "RLM_MODULE_REJECTED.
> 
http://wiki.freeradius.org/Modules2#Module+Return+Codes

RLM_MODULE_FAIL looks like a better option to use, although it will not 
give you what you want; but it would enable you to use unlang to perform 
other tasks.

Cheers

-- 
Alexander Clouter
.sigmonster says: You fill a much-needed gap.