Unable to authenticate locally when remote proxy server is unavailable

Alan DeKok aland at deployingradius.com
Mon Jun 6 07:26:05 CEST 2011


jch2006 at verizon.net wrote:
> The questions I want to ask are as follows:
>
> 1. Is this the right method to perform this operation or there could be
> a simpler way to do this,
> i.e. authenticate the request using backup cache or database when remote
> Radius server is down?

  If you can authenticate the request with a DB, then the remote RADIUS
server is not needed.  Get rid of it.

  If you can't get a local DB, then when the remote RADIUS server is
down, users cannot authenticate.

> 2. Is there a way to know (by ping or other methods) if the remote
> radius server is down so
> that I can perform the local authentication right away when the 802.1x
> request is received
> instead of proxying the request a few times and then determining that
> the remote proxy Radius server
> is not alive or not available?

  See raddb/proxy.conf.  Look for "status-server".

  In short, the only way to see if it's up is to send it RADIUS packets.

> 3. If somehow  I determine that the remote Radius server is unavailable
> and I get a 802.1x request
> (EAP-PEAP) can I verify the authenticity of the request using the local
> cache and send an
> Access-Accept somehow tricking the NAS to open the port?

  No.

> 4. Is it possible to reduce the time for e.g. "Waking up in 119.8 seconds"?

  No.  For one, you haven't explaing why that time is a problem.  For
two, those timers are determined by the servers configuration.  If you
want that time to change, change the configuration.

  Alan DeKok.



More information about the Freeradius-Users mailing list