Behavior of FreeRADIUS auth when SQL backend becomes inaccessible

Alan DeKok aland at
Wed Mar 5 19:19:06 CET 2014

Patrick Wagner wrote:
> This is entirely equivalent to the implementation Arran has suggested,
> enclosing sql and do_not_respond in a "redundant" block, correct?


> I hadn't
> realised that a fallback to REJECT instead of "do_not_respond" in case
> of a module error (="fail") is indeed a safer default, because I always
> only thought about the issue from the angle of multiple RADIUS servers
> providing fail-over for each other, in which case a "failed" RADIUS
> server pretending to know the answer and replying with a valid but
> factually incorrect RADIUS reply to a NAS client didn't make sense to
> me. But Arran and you cleared that up for me, thanks.

  Yup.  That's why we do what we do.

> Yes, this makes sense now. I was confused as to why it wouldn't evaluate
> realmraute further down the config anymore in cases where SQL returned a
> "fail". It's all been fixed in our config and running fine now, at least
> as far as I'm able to test.

  That's good to hear.

  Alan DeKok.

More information about the Freeradius-Users mailing list