post-proxy and detecting dead upstream realms

Alan DeKok aland at
Thu Jan 15 15:51:53 CET 2015

On Jan 15, 2015, at 9:39 AM, Phil Mayers <p.mayers at> wrote:
> I'd like to do something like this:
> post-proxy {
>  Post-Proxy-Type Timeout {

  That’s hard.

> The idea is that I have an upstream proxy (eduroam) with potentially hundreds of realms behind it. Some realms just don't respond, and when that happens above a certain threshold, I'd like to locally blacklist the realm and avoid sending them to the upstream proxy for some time period.

  That’s useful.  It should be an example in the default configuration.

  In v3, you can use the “cache” module to do this.

> The question: what method can I use to run a module/expansion when a proxy request isn't replied to. "Post-Proxy-Type Fail" doesn't seem to do it (in fact, I can't make it trigger at all in my tests).

  The issue is that the server is asynchronous.  It triggers "Post-Proxy-Type Fail” from client retransmissions.  If the client doesn’t retransmit… there isn’t much you can do.

> Looking at the source this might be impossible?

  Doing exactly what you want is hard.  Doing something related may be possible.

  In proxy.conf, set:

	no_response_fail = yes

  And then update the realm counter in “Post-Auth-Type Reject”

  Arran and I are looking at changes to v3 which will make all of this much easier.

  Alan DeKok.

More information about the Freeradius-Users mailing list